CVE-2025-30197
Description
Jenkins Zoho QEngine Plugin 1.0.29.vfa_cc23396502 and earlier does not mask the QEngine API Key form field, increasing the potential for attackers to observe and capture it.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Zoho QEngine Plugin 1.0.29 and earlier exposes the API Key in plaintext in the job configuration form, enabling shoulder-surfing or screen capture attacks.
Vulnerability
Details
Jenkins Zoho QEngine Plugin versions 1.0.29.vfa_cc23396502 and earlier contain a security flaw where the API Key form field is not masked (i.e., displayed as plaintext rather than password characters) during job configuration. The plugin stores the QEngine API Key encrypted on disk, but the configuration UI exposes the key visually on the Jenkins controller's job configuration page [1][2]. This is due to the use of an <f:textbox> element instead of <f:password> in the plugin's config.jelly file [4].
Exploitation
Scenario
An attacker with the ability to observe the Jenkins controller screen—such as through shoulder-surfing, screen sharing, or a screen capture tool—can directly read the API Key while a user or administrator is editing the job configuration. No special authentication beyond the ability to view the configuration form is required, as the key is always visible when the form is loaded [2].
Impact
Successful capture of the QEngine API Key allows the attacker to authenticate to the Zoho QEngine service and potentially execute unauthorized test automation actions, access test results, or disrupt CI/CD workflows that depend on the integration. The risk is heightened in environments where multiple users access the same Jenkins controller or where session recordings are captured [1][2].
Mitigation
Zoho QEngine Plugin version 1.0.31.v4a_b_1db_6d6a_f2 fixes the issue by changing the form field type from <f:textbox> to <f:password>, which masks the key entry with asterisks [3][4]. Users should update to this version or later. No workaround is available other than immediate upgrade, as the plaintext exposure is a design deficiency in the UI [2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.jenkins.plugins:zohoqengineMaven | < 1.0.31.v4a_b_1db_6d6a_f2 | 1.0.31.v4a_b_1db_6d6a_f2 |
Affected products
2- Range: <=1.0.29.vfa_cc23396502
- Jenkins Project/Jenkins Zoho QEngine Pluginv5Range: 0
Patches
14ab1db6d6af2Merge pull request #11 from jenkinsci/Hotfix_Branch
1 file changed · +1 −1
src/main/resources/io/jenkins/plugins/zohoqengine/QEnginePluginBuilder/config.jelly+1 −1 modified@@ -6,7 +6,7 @@ <f:textbox field="testPlanUrl" checkMethod="post"/> </f:entry> <f:entry title="API Key" field="apiKey"> - <f:textbox field="apiKey" checkMethod="post"/> + <f:password field="apiKey" checkMethod="post"/> </f:entry> <f:entry title="Maximum Wait Time" field="maxWaitTime"> <f:number field="maxWaitTime" default="180" checkMethod="post"/>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-2x3g-rr4w-4qrpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-30197ghsaADVISORY
- www.jenkins.io/security/advisory/2025-03-19/ghsavendor-advisoryWEB
- github.com/jenkinsci/zohoqengine-plugin/commit/4ab1db6d6af21f43dd15cc328599445519875fa8ghsaWEB
News mentions
1- Jenkins Security Advisory 2025-03-19Jenkins Security Advisories · Mar 19, 2025