PT-2022-19392 · Jenkins · Jenkins Google Compute Engine Plugin+1
Daniel Beck
·
Published
2022-04-12
·
Updated
2023-12-22
·
CVE-2022-29052
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Jenkins Google Compute Engine Plugin versions 4.3.8 and earlier
Description
The issue allows private keys to be stored unencrypted in cloud agent
config.xml files on the Jenkins controller. This can be viewed by users with Agent/Extended Read permission or those with access to the Jenkins controller file system.Recommendations
For versions 4.3.8 and earlier, consider restricting access to the Jenkins controller file system and limiting Agent/Extended Read permissions to minimize the risk of exploitation. As a temporary workaround, restrict access to the
config.xml files until a patch is available.Fix
Insufficiently Protected Credentials
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Google Compute Engine Plugin