SB2022041336 - Cleartext storage of sensitive information in Jenkins Google Compute Engine Plugin
Published: April 13, 2022
Security Bulletin ID
SB2022041336
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Cleartext storage of sensitive information (CVE-ID: CVE-2022-29052)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the affected plugin stores private keys unencrypted in cloud agent config.xml files on the Jenkins controller as part of its configuration. A remote user can retrieve sensitive information stored in cleartext.
Remediation
Install update from vendor's website.