CVE-2022-36901

Name of the Vulnerable Software and Affected Versions Jenkins HTTP Request Plugin versions 1.15 and earlier

Description The issue is related to the storage of HTTP Request passwords in an unencrypted form in the global configuration file on the Jenkins controller. This allows users with access to the Jenkins controller file system to view these passwords. The vulnerability can be exploited by a remote attacker to disclose protected information.

Recommendations For Jenkins HTTP Request Plugin versions 1.15 and earlier, consider updating to a version that stores passwords securely. As a temporary workaround, restrict access to the Jenkins controller file system to minimize the risk of password disclosure. Avoid using the deprecated Basic/Digest Authentication method until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.