Unencrypted Key Storage Vulnerability in Jenkins Google Compute Engine Plugin
CVE-2022-29052

4.3MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Google Compute Engine Plugin
Vendor: CVE Published:; 12 April 2022

Summary

The Jenkins Google Compute Engine Plugin, versions 4.3.8 and prior, exposes sensitive private keys by storing them unencrypted within cloud agent config.xml files on the Jenkins controller. This vulnerability allows users with Extended Read permission or access to the Jenkins controller file system to view these keys, posing a significant security risk. It is crucial for users to secure this information by implementing necessary safeguards or updating to a patched version.

Affected Version(s)

Jenkins Google Compute Engine Plugin <= 4.3.8

References

https://www.jenkins.io/security/advisory/2022-04-12/#SECU...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 12, 2022
Vulnerability Reserved
Apr 11, 2022