CVE-2022-20621

Name of the Vulnerable Software and Affected Versions Jenkins Metrics Plugin versions 4.0.2.8 and earlier

Description The issue allows an access key to be stored unencrypted in the global configuration file on the Jenkins controller. This access key can be viewed by users with access to the Jenkins controller file system. The file jenkins.metrics.api.MetricsAccessKey.xml is specifically mentioned as part of the configuration where this access key is stored.

Recommendations For Jenkins Metrics Plugin versions 4.0.2.8 and earlier, consider updating to version 4.0.2.8.1 or later, as it stores the access key encrypted once its configuration is saved again. As a temporary workaround, restrict access to the Jenkins controller file system to minimize the risk of the access key being viewed by unauthorized users.