PT-2022-15857 · Jenkins · Jenkins Publish Over Ssh Plugin+1

Justin Philip

Published

2022-01-12

Updated

2023-11-30

CVE-2022-23114

CVSS v3.1

3.3

Low

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Jenkins Publish Over SSH Plugin versions 1.22 and earlier

Description The issue allows passwords to be stored unencrypted in the global configuration file on the Jenkins controller. This can be viewed by users with access to the Jenkins controller file system.

Recommendations For Jenkins Publish Over SSH Plugin versions 1.22 and earlier, consider updating to a version that properly encrypts passwords in the global configuration file to prevent unauthorized access. As a temporary workaround, restrict access to the Jenkins controller file system to minimize the risk of password exposure.

Fix

Insufficiently Protected Credentials

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-522

Related Identifiers

CVE-2022-23114

GHSA-R3RR-WPH6-9638

Affected Products

Jenkins

Jenkins Publish Over Ssh Plugin

PT-2022-15857 · Jenkins · Jenkins Publish Over Ssh Plugin+1

CVE-2022-23114

Weakness Enumeration

Related Identifiers

Affected Products

References · 12