Cleartext storage of sensitive information in CONS3RT - CVE-2022-41255

 

Cleartext storage of sensitive information in CONS3RT - CVE-2022-41255

Published: September 23, 2022


Vulnerability identifier: #VU67620
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2022-41255
CWE-ID: CWE-312
Exploitation vector: Local access
Exploit availability: No public exploit available
Vendor: Jenkins
Affected software:
CONS3RT

Detailed vulnerability description

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to the affected plugin stores Cons3rt API token unencrypted in job config.xml files on the Jenkins controller as part of its configuration. A local user can view whis API token.


How to mitigate CVE-2022-41255

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Sources