Jenkins Katalon Plugin 1.0.32 and earlier stores API keys unencrypted in job `config.xml` files on the Jenkins controller as part of its configuration.

These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Katalon Plugin 1.0.33 no longer stores the API keys directly, instead accessing them through its [Credentials Plugin](https://plugins.jenkins.io/credentials) integration, once affected job configurations are saved again.

Affected Packages

Maven org.jenkins-ci.plugins:katalon

Affected versions: 0 (fixed in 1.0.33)

Related CVEs

CVE-2022-43419

Key Information

GHSA ID

GHSA-35rx-7pc8-6963

Published

October 19, 2022 7:00 PM

Last Modified

October 2, 2023 7:41 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

org.jenkins-ci.plugins:katalon

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 6, 2025 6:30 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.