CVE-2022-27195

Name of the Vulnerable Software and Affected Versions Jenkins Parameterized Trigger Plugin versions 2.43 and earlier

Description The issue concerns the capture and storage of environment variables, including password parameter values, in build.xml files by the Jenkins Parameterized Trigger Plugin. These values are stored unencrypted and can be accessed by users with permission to the Jenkins controller file system. The problem also involves existing build.xml files not being automatically updated to remove captured environment variables, requiring manual cleanup. The plugin reports stored environment variables as unloadable data in the Old Data Monitor, allowing for their removal.

Recommendations For Jenkins Parameterized Trigger Plugin versions 2.43 and earlier, manually clean up existing build.xml files to remove captured environment variables. Utilize the Old Data Monitor to identify and discard stored environment variables. Consider restricting access to the Jenkins controller file system to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.