Cleartext storage of sensitive information in Metrics - CVE-2022-20621

 

Cleartext storage of sensitive information in Metrics - CVE-2022-20621

Published: January 13, 2022


Vulnerability identifier: #VU59590
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2022-20621
CWE-ID: CWE-312
Exploitation vector: Local access
Exploit availability: No public exploit available
Vendor: Jenkins
Affected software:
Metrics

Detailed vulnerability description

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to the affected plugin stores access keys unencrypted in its global configuration file jenkins.metrics.api.MetricsAccessKey.xml on the Jenkins controller as part of its configuration. A local user can retrieve sensitive information stored in cleartext.


How to mitigate CVE-2022-20621

Install updates from vendor's website.

Sources