Insecure Password Storage in Jenkins Squash TM Publisher Plugin
CVE-2022-34213

6.5MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Squash Tm Publisher (squash4jenkins) Plugin
Vendor: CVE Published:; 23 June 2022

Summary

The Jenkins Squash TM Publisher plugin stores sensitive information, specifically passwords, in an unencrypted format within its global configuration file on the Jenkins controller. This security flaw allows any user with access to the Jenkins controller's file system to view these passwords, potentially leading to unauthorized access and compromise of sensitive data. Immediate measures should be implemented to mitigate the risks associated with unprotected credential storage.

Affected Version(s)

Jenkins Squash TM Publisher (Squash4Jenkins) Plugin <= 1.0.0

References

https://www.jenkins.io/security/advisory/2022-06-22/#SECU...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 23, 2022
Vulnerability Reserved
Jun 21, 2022