PT-2022-27494 · Jenkins · Jenkins Ns-Nd Integration Performance Publisher Plugin+1
Daniel Beck
·
Published
2022-11-15
·
Updated
2025-04-30
·
CVE-2022-45392
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Jenkins NS-ND Integration Performance Publisher Plugin versions 4.8.0.143 and earlier
Description
The issue allows attackers with Extended Read permission or access to the Jenkins controller file system to view unencrypted passwords stored in job
config.xml files on the Jenkins controller. These passwords are stored as part of the plugin's configuration and can be accessed by attackers with Item/Extended Read permission.Recommendations
For Jenkins NS-ND Integration Performance Publisher Plugin versions 4.8.0.143 and earlier, update to version 4.8.0.146 or later, which stores passwords encrypted once job configurations are saved again. As a temporary workaround, consider restricting access to the Jenkins controller file system and limiting Extended Read permission to minimize the risk of exploitation.
Fix
Insufficiently Protected Credentials
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Jenkins
Jenkins Ns-Nd Integration Performance Publisher Plugin