Unprotected storage of credentials in Reverse Proxy Auth - CVE-2022-45384

 

Unprotected storage of credentials in Reverse Proxy Auth - CVE-2022-45384

Published: November 16, 2022


Vulnerability identifier: #VU69372
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2022-45384
CWE-ID: CWE-256
Exploitation vector: Local access
Exploit availability: No public exploit available
Vendor: Jenkins
Affected software:
Reverse Proxy Auth

Detailed vulnerability description

The vulnerability allows a local user to gain access to other users' credentials.

The vulnerability exists due to application stores the LDAP manager password unencrypted in the global config.xml file on the Jenkins controller as part of its configuration. A local user can view contents of the configuration file and gain access to passwords for 3rd party integration.


How to mitigate CVE-2022-45384

Install updates from vendor's website.

Sources