First published: Wed Mar 19 2025(Updated: )
Jenkins Zoho QEngine Plugin 1.0.29.vfa_cc23396502 and earlier does not mask the QEngine API Key form field, increasing the potential for attackers to observe and capture it.
Credit: jenkinsci-cert@googlegroups.com
Affected Software | Affected Version | How to fix |
---|---|---|
Jenkins Zoho QEngine Plugin | <1.0.29.vfa_cc23396502 | |
maven/io.jenkins.plugins:zohoqengine | <1.0.31.v4a | 1.0.31.v4a_b_1db_6d6a_f2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2025-30197 has a medium severity due to its potential exposure of sensitive API keys.
To fix CVE-2025-30197, update the Jenkins Zoho QEngine Plugin to a version later than 1.0.29.vfa_cc23396502 that masks the QEngine API Key.
CVE-2025-30197 exploits the lack of masking for the QEngine API Key in the plugin's form field.
Versions of the Jenkins Zoho QEngine Plugin up to and including 1.0.29.vfa_cc23396502 are affected by CVE-2025-30197.
Yes, CVE-2025-30197 is relatively easy to exploit since it allows attackers to observe unmasked sensitive information directly from the interface.