Main Vulnerability Database SB2022111622

SB2022111622 - Unprotected storage of credentials in Jenkins Reverse Proxy Auth plugin

Published: November 16, 2022

Security Bulletin ID SB2022111622

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Local access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Unprotected storage of credentials (CVE-ID: CVE-2022-45384)

The vulnerability allows a local user to gain access to other users' credentials.

The vulnerability exists due to application stores the LDAP manager password unencrypted in the global config.xml file on the Jenkins controller as part of its configuration. A local user can view contents of the configuration file and gain access to passwords for 3rd party integration.

Remediation

Install update from vendor's website.

References

https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2094