CVE-2023-46653

Vulnerability

Type Jenkins lambdatest-automation Plugin version 1.20.10 and earlier logs the LAMBDATEST Credentials access token at the INFO log level [1][2]. This is a logging best-practice violation, as sensitive credentials should never be logged at such a verbose level.

Exploitation

An attacker with read access to Jenkins system logs can obtain the access token. No special permissions beyond access to logs are required, as INFO level logs are typically accessible to users with Overall/Read permission or through the Jenkins log API.

Impact

Exposure of the LAMBDATEST access token allows an attacker to authenticate to the LAMBDATEST service as the affected Jenkins instance, potentially leading to unauthorized access to test results and infrastructure.

Mitigation

The issue is fixed in lambdatest-automation Plugin version 1.21.0 (and possibly 1.20.10 as a re-release) [3]. Users should upgrade to a secure version as soon as possible. Alternatively, limiting access to Jenkins logs can reduce the risk of token exposure.