Lucene search

GoogleOSV:GHSA-PGP9-X83G-V8X8

HistoryJul 01, 2022 - 12:01 a.m.

Plaintext Storage of a Password in Jenkins RocketChat Notifier Plugin

2022-07-0100:01:07

Google

osv.dev

jenkins

rocketchat

notifier plugin

password storage

unencrypted

configuration file

security issue

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

22.0%

JSON

Jenkins RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file RocketChatNotifier.xml on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

References

github.com/jenkinsci/rocketchatnotifier-plugin

nvd.nist.gov/vuln/detail/CVE-2022-34802

www.jenkins.io/security/advisory/2022-06-30/#SECURITY-2088

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

22.0%

JSON

Related for OSV:GHSA-PGP9-X83G-V8X8