Lucene search

GitHub Advisory DatabaseGHSA-GG9M-X3CG-69VH

HistoryJan 13, 2022 - 12:00 a.m.

Access key stored in plain text by Jenkins Metrics Plugin

2022-01-1300:00:57

CWE-522

GitHub Advisory Database

github.com

jenkins metrics plugin

access key

plain text

configuration

file system

encryption

token

security

CVSS2

2.1

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

Percentile

12.6%

JSON

Jenkins Metrics Plugin 4.0.2.8 and earlier stores an access key unencrypted in its global configuration file jenkins.metrics.api.MetricsAccessKey.xml on the Jenkins controller as part of its configuration.

This access key can be viewed by users with access to the Jenkins controller file system.

Jenkins Metrics Plugin 4.0.2.8.1 stores access key encrypted once its configuration is saved again.

Additionally, the token value is only displayed once when it is generated.

Affected configurations

Vulners

Node

org.jenkins-ci.pluginsmetricsRange<4.0.2.7.1

org.jenkins-ci.pluginsmetricsMatch4.0.2.8

VendorProductVersionCPE
org.jenkins-ci.pluginsmetrics*cpe:2.3:a:org.jenkins-ci.plugins:metrics:*:*:*:*:*:*:*:*
org.jenkins-ci.pluginsmetrics4.0.2.8cpe:2.3:a:org.jenkins-ci.plugins:metrics:4.0.2.8:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
org.jenkins-ci.plugins	metrics	*	cpe:2.3:a:org.jenkins-ci.plugins:metrics::::::::
org.jenkins-ci.plugins	metrics	4.0.2.8	cpe:2.3:a:org.jenkins-ci.plugins:metrics:4.0.2.8:::::::*