{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33003", "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "state": "PUBLISHED", "assignerShortName": "jenkins", "dateReserved": "2026-03-17T15:04:07.616Z", "datePublished": "2026-03-18T15:15:25.768Z", "dateUpdated": "2026-03-18T15:55:13.735Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2026-03-18T15:15:25.768Z"}, "affected": [{"vendor": "Jenkins Project", "product": "Jenkins LoadNinja Plugin", "versions": [{"version": "0", "versionType": "maven", "lessThanOrEqual": "2.1", "status": "affected"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Jenkins LoadNinja Plugin 2.1 and earlier stores LoadNinja API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system."}], "references": [{"name": "Jenkins Security Advisory 2026-03-18", "url": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3642", "tags": ["vendor-advisory"]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-312", "lang": "en", "description": "CWE-312 Cleartext Storage of Sensitive Information"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-18T15:55:10.878464Z", "id": "CVE-2026-33003", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T15:55:13.735Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-33003", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-18T15:55:10.878464Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-312", "description": "CWE-312 Cleartext Storage of Sensitive Information"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T15:54:11.498Z"}}], "cna": {"affected": [{"vendor": "Jenkins Project", "product": "Jenkins LoadNinja Plugin", "versions": [{"status": "affected", "version": "0", "versionType": "maven", "lessThanOrEqual": "2.1"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3642", "name": "Jenkins Security Advisory 2026-03-18", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "Jenkins LoadNinja Plugin 2.1 and earlier stores LoadNinja API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system."}], "providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2026-03-18T15:15:25.768Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33003", "state": "PUBLISHED", "dateUpdated": "2026-03-18T15:55:13.735Z", "dateReserved": "2026-03-17T15:04:07.616Z", "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "datePublished": "2026-03-18T15:15:25.768Z", "assignerShortName": "jenkins"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:loadninja:*:*:*:*:*:jenkins:*:*", "matchCriteriaId": "9BCE27DC-E2B1-4969-AE65-2E2CEA7C0514", "versionEndExcluding": "2.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Jenkins LoadNinja Plugin 2.1 and earlier stores LoadNinja API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system."}], "id": "CVE-2026-33003", "lastModified": "2026-03-21T00:18:27.543", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-18T16:16:28.290", "references": [{"source": "jenkinsci-cert@googlegroups.com", "tags": ["Vendor Advisory"], "url": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3642"}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-312"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "jenkins_loadninja_plugin", "vendor": "jenkins_project"}], "analysis": {"en": {"generated_at": "2026-03-21T07:08:33.229584+00:00", "value": {"mitigation_remediation": ["Update LoadNinja Plugin to version 2.2 or later if available.", "If a patch is not yet released, remove or redeploy plugin in a way that forces configuration regeneration to clear unencrypted keys.", "Restrict Item/Extended Read permissions to only trusted users to prevent unauthorized viewing of job configurations.", "Limit filesystem access to the Jenkins controller so that only system administrators can read \"config.xml\" files.", "Consider configuring Jenkins to store credentials in the built\u2011in credential store instead of plain config files."], "summary": {"action": "Patch", "impact": "Unauthorized exposure of LoadNinja API keys"}, "threat_synthesis": {"affected_systems": "All Jenkins installations running LoadNinja Plugin 2.1 or earlier are affected. The vulnerability is present in the Jenkins Project\u2019s LoadNinja Plugin, as listed by the CNA. Updates or newer plugin versions should be checked for remediation.", "description_and_impact": "The LoadNinja Plugin for Jenkins stores API keys in job configuration files without encryption. Anyone who views the config.xml, either directly through the web UI with Item/Extended Read rights or via filesystem access on the Jenkins controller, gains read access to these secrets. This flaw allows the compromise of confidentiality, potentially enabling attackers to misuse the LoadNinja service or access protected resources.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate severity, while an EPSS below 1% implies low immediate exploitation likelihood. The issue is not listed in the CISA KEV catalog. Exploitation requires either web UI access with Item/Extended Read permission or direct file system access on the control plane, so it is largely limited to insiders or privileged users. Nonetheless, the exposure of API credentials is a significant risk to confidentiality."}}}}, "created": "2026-03-19T08:56:34.433337+00:00", "updated": "2026-03-24T10:58:41.482817+00:00", "vendors": ["jenkins_project", "jenkins_project$PRODUCT$jenkins_loadninja_plugin"]}