CVE-2025-30197: Jenkins Zoho QEngine Plugin Displays Unmasked API Keys

March 19, 2025 (updated March 20, 2025)

Jenkins Zoho QEngine Plugin 1.0.29.vfa_cc23396502 and earlier does not mask the QEngine API Key form field, increasing the potential for attackers to observe and capture it.

References

github.com/advisories/GHSA-2x3g-rr4w-4qrp
github.com/jenkinsci/zohoqengine-plugin
github.com/jenkinsci/zohoqengine-plugin/commit/4ab1db6d6af21f43dd15cc328599445519875fa8
nvd.nist.gov/vuln/detail/CVE-2025-30197
www.jenkins.io/security/advisory/2025-03-19/

Detect and mitigate CVE-2025-30197 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →