PT-2022-18304 · Jenkins · Jenkins Dbcharts Plugin+1
S0Nnguy3N
+1
·
Published
2022-03-15
·
Updated
2023-12-22
·
CVE-2022-27216
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Jenkins dbCharts Plugin versions 0.5.2 and earlier
Description
The issue concerns the storage of JDBC connection passwords in the global configuration file on the Jenkins controller. These passwords are stored unencrypted and can be viewed by users with access to the Jenkins controller file system. The configuration file in question is
hudson.plugins.dbcharts.DbChartPublisher.xml. This poses a risk as users with access to the file system can obtain the passwords.Recommendations
For Jenkins dbCharts Plugin versions 0.5.2 and earlier, consider restricting access to the Jenkins controller file system to minimize the risk of password exposure until a fix is available. As a temporary workaround, limit user access to the
hudson.plugins.dbcharts.DbChartPublisher.xml file to prevent unauthorized viewing of the unencrypted JDBC connection passwords.Fix
Insufficiently Protected Credentials
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Dbcharts Plugin