Main Vulnerability Database Vulnerabilities #VU61741

Cleartext storage of sensitive information in instant-messaging - CVE-2022-28135

Published: March 30, 2022

Vulnerability identifier: #VU61741

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2022-28135

CWE-ID: CWE-312

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: Jenkins

Affected software:
instant-messaging

Detailed vulnerability description

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to the affected plugin stores passwords for group chats unencrypted in the global configuration file of plugins based on instant-messaging Plugin on the Jenkins controller. A local user can retrieve sensitive information stored in cleartext.

How to mitigate CVE-2022-28135

Install updates from vendor's website.

Sources

https://jenkins.io/security/advisory/2022-03-29/

Cleartext storage of sensitive information in instant-messaging - CVE-2022-28135

Detailed vulnerability description

How to mitigate CVE-2022-28135

Sources

Please verify you're human