S3 Explorer Plugin stores AWS_SECRET_ACCESS_KEY in its global configuration file `s3explorer.xml` on the Jenkins controller as part of its configuration.

While this secret is stored encrypted on disk, in S3 Explorer Plugin 1.0.8 and earlier the global configuration form does not mask the AWS_SECRET_ACCESS_KEY form field, increasing the potential for attackers to observe and capture it.

Affected Packages

Maven io.jenkins.plugins:s3explorer

Affected versions: 0 (last affected: 1.0.8)

Related CVEs

CVE-2022-43426

Key Information

GHSA ID

GHSA-mf4p-wjrm-cmjp

Published

October 19, 2022 7:00 PM

Last Modified

December 16, 2022 7:53 PM

CVSS Score

2.5 /10

Primary Ecosystem

Maven

Primary Package

io.jenkins.plugins:s3explorer

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 25, 2025 6:33 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.