Cleartext storage of sensitive information in Gitlab Authentication - CVE-2022-27206

 

Cleartext storage of sensitive information in Gitlab Authentication - CVE-2022-27206

Published: March 16, 2022


Vulnerability identifier: #VU61415
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2022-27206
CWE-ID: CWE-312
Exploitation vector: Local access
Exploit availability: No public exploit available
Vendor: Jenkins
Affected software:
Gitlab Authentication

Detailed vulnerability description

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to the affected plugin stores the GitLab client secret unencrypted in the global config.xml file on the Jenkins controller as part of its configuration. A local user can retrieve sensitive information stored in cleartext.


How to mitigate CVE-2022-27206

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Sources