Unencrypted Password Storage in Jenkins Performance Publisher Plugin
CVE-2022-45392

6.5MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins NS-ND Integration Performance Publisher Plugin
Vendor: CVE Published:; 15 November 2022

Summary

The NS-ND Integration Performance Publisher Plugin for Jenkins allows for unencrypted storage of passwords within job config.xml files on the Jenkins controller. This oversight makes sensitive credentials potentially visible to attackers who possess Extended Read permission or access to the underlying file system. This vulnerability underscores the importance of secure credential management in CI/CD pipelines.

Affected Version(s)

Jenkins NS-ND Integration Performance Publisher Plugin <= 4.8.0.143

References

https://www.jenkins.io/security/advisory/2022-11-15/#SECU...

http://www.openwall.com/lists/oss-security/2022/11/15/4

mailing-list

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 15, 2022
Vulnerability Reserved
Nov 14, 2022