PT-2022-22084 · Jenkins · Jenkins Squash Tm Publisher Plugin+1
Long Nguyen
·
Published
2022-06-22
·
Updated
2023-11-03
·
CVE-2022-34213
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Jenkins Squash TM Publisher (Squash4Jenkins) Plugin versions 1.0.0 and earlier
Description
The issue allows passwords to be stored unencrypted in the global configuration file on the Jenkins controller, making them accessible to users with access to the Jenkins controller file system. The configuration file
org.jenkinsci.squashtm.core.SquashTMPublisher.xml contains these unencrypted passwords as part of its configuration.Recommendations
For Jenkins Squash TM Publisher (Squash4Jenkins) Plugin versions 1.0.0 and earlier, consider restricting access to the Jenkins controller file system to minimize the risk of password exposure until a patch is available. As a temporary workaround, limit user access to the global configuration file to prevent unauthorized viewing of unencrypted passwords.
Fix
Insufficiently Protected Credentials
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Squash Tm Publisher Plugin