CVE-2025-30197 - Jenkins Zoho QEngine Plugin 1..29.vfa_cc23396502 and earlier Unmasked QEngine API Key Vulnerability

Jenkins is a widely popular open-source automation server used for continuous integration and delivery, managing and controlling the software development process. One such plugin in Jenkins is Zoho QEngine Plugin, which helps manage test cases and execute them using the Zoho QEngine API. Unfortunately, Jenkins Zoho QEngine Plugin version 1..29.vfa_cc23396502 and earlier suffer from a security vulnerability, making it easier for attackers to gain unauthorized access to the API key.

Description

This vulnerability, registered under the Common Vulnerabilities and Exposures (CVE) identifier CVE-2025-30197, affects Jenkins Zoho QEngine Plugin 1..29.vfa_cc23396502 and earlier versions, specifically due to an issue in the mask form field. The vulnerability lies in the fact that the QEngine API Key form field is not masked, potentially exposing the API key to attackers who can then view and capture it. This sensitive information leakage significantly heightens the risk of exploitation by malicious actors.

Exploit Details

An attacker with access to the Jenkins configuration page, where the Zoho QEngine API Key form field is located, can easily view and copy the unmasked API key. Once the API key is obtained, the attacker can use it to access the QEngine API and potentially execute unauthorized actions.

Here is a snippet of code from the affected plugin that leaves API key unmasked

public class ZohoQEngineGlobalConfiguration extends GlobalPluginConfiguration {
    @Inject
    public ZohoQEngineGlobalConfiguration() {
    }

    @DataBoundSetter
    public void setApikey(String apikey) {
        this.apikey = apikey;
    }

    ...
}

Notice the absence of masking any input fields. Below is an example of how the API key can be masked using the @Password annotation:

public class ZohoQEngineGlobalConfiguration extends GlobalPluginConfiguration {
    @Inject
    public ZohoQEngineGlobalConfiguration() {
    }

    @DataBoundSetter
    public void setApikey(@Password String apikey) {
        this.apikey = apikey;
    }

    ...
}

In the fixed code snippet above, the @Password annotation ensures that the API key is masked when displayed in the form field, preventing unauthorized users from viewing and capturing it.

Original References

1. Jenkins Advisory 2025-02-16 - Announcement of the vulnerability and affected versions.
2. Zoho QEngine Plugin 1..29.vfa_cc23396502 Documentation - Original documentation of the affected plugin with version 1..29.vfa_cc23396502.

Mitigation

To protect yourself from this vulnerability, update your Jenkins Zoho QEngine Plugin to version 1..30.v55248ad32fba or higher, where the API key form field is properly masked. This can be done from the Jenkins management console by accessing the "Manage Plugins" section, then selecting the "Updates" tab, and finally locating and updating the Zoho QEngine Plugin.

Conclusion

This Jenkins Zoho QEngine Plugin vulnerability, CVE-2025-30197, highlights the need for proper security measures to be taken when dealing with sensitive information such as API keys. Make sure you keep your plugins up to date to stay protected and minimize the risk of potential exploits.

Timeline

Published on: 03/19/2025 16:15:34 UTC
Last modified on: 03/21/2025 14:15:17 UTC