Can you explain this vulnerability to me?

This vulnerability occurs in Jenkins Aqua Security Scanner Plugin version 3.2.8 and earlier, where Scanner Tokens for the Aqua API are stored unencrypted in job config.xml files on the Jenkins controller. These tokens can be viewed by users who have Item/Extended Read permission or by anyone with access to the Jenkins controller file system.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

The vulnerability can lead to unauthorized disclosure of sensitive Scanner Tokens, which could allow attackers or unauthorized users to access the Aqua API with the privileges of the compromised tokens. This could result in unauthorized actions or data exposure within the Aqua Security environment.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

You can detect this vulnerability by checking the job config.xml files on the Jenkins controller for unencrypted Aqua API Scanner Tokens. Specifically, look for the presence of these tokens in the config.xml files of Jenkins jobs. Since the tokens are stored unencrypted, searching for known token patterns or keywords related to Aqua API tokens within these files can help identify the vulnerability. Commands such as 'grep -r "Aqua" /path/to/jenkins/jobs/*/config.xml' on the Jenkins controller file system may assist in detection.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include restricting access to the Jenkins controller file system and limiting Item/Extended Read permissions to trusted users only, to prevent unauthorized viewing of the unencrypted Scanner Tokens. Additionally, consider upgrading the Jenkins Aqua Security Scanner Plugin to a version later than 3.2.8 where this issue is fixed, or remove the tokens from the config.xml files and rotate them if possible.

Useful 0 Not Useful 0