SB2022111633 - Multiple vulnerabilities in Jenkins NS-ND Integration Performance Publisher plugin

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Improper Certificate Validation (CVE-ID: CVE-2022-45391)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the affected plugin globally and unconditionally disables SSL/TLS certificate and hostname validation for the entire Jenkins controller JVM. A remote user can gain access to sensitive information on the system.

2) Unprotected storage of credentials (CVE-ID: CVE-2022-45392)

The vulnerability allows a remote attacker to gain access to other users' credentials.

The vulnerability exists due to application stored credentials in plain text in a configuration file on the system. A remote user can view contents of the configuration file and gain access to passwords for 3rd party integration.

Remediation

Install update from vendor's website.

References

• https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2910%20(1)
• https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2912