PT-2022-22368 · Hewlett Packard+1 · Jenkins Hpe Network Virtualization Plugin+1
Long Nguyen
·
Published
2022-06-30
·
Updated
2023-11-22
·
CVE-2022-34816
CVSS v2.0
4.0
Medium
| Vector | AV:N/AC:L/Au:S/C:P/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Jenkins HPE Network Virtualization Plugin version 1.0
Description
The issue concerns the storage of passwords in an unencrypted manner within the global configuration file on the Jenkins controller. Specifically, the
org.jenkinsci.plugins.nvemulation.plugin.NvEmulationBuilder.xml file contains these unencrypted passwords as part of its configuration. Users with access to the Jenkins controller file system can view these passwords.Recommendations
For Jenkins HPE Network Virtualization Plugin version 1.0, consider restricting access to the Jenkins controller file system to minimize the risk of password exposure. As a temporary workaround, limit the privileges of users who have access to the file system to reduce potential damage.
Fix
Insufficiently Protected Credentials
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Jenkins
Jenkins Hpe Network Virtualization Plugin