Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1nZzltLXgzY2ctNjl2aM0ijw
Access key stored in plain text by Jenkins Metrics Plugin
Jenkins Metrics Plugin 4.0.2.8 and earlier stores an access key unencrypted in its global configuration file jenkins.metrics.api.MetricsAccessKey.xml
on the Jenkins controller as part of its configuration.
This access key can be viewed by users with access to the Jenkins controller file system.
Jenkins Metrics Plugin 4.0.2.8.1 stores access key encrypted once its configuration is saved again.
Additionally, the token value is only displayed once when it is generated.
Permalink: https://github.com/advisories/GHSA-gg9m-x3cg-69vhJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nZzltLXgzY2ctNjl2aM0ijw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 3 years ago
Updated: 12 months ago
CVSS Score: 5.5
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-gg9m-x3cg-69vh, CVE-2022-20621
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-20621
- https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-1624
- http://www.openwall.com/lists/oss-security/2022/01/12/6
- https://github.com/jenkinsci/metrics-plugin/commit/9810480370d4c5e04a2b710934db5461bde0d1b6
- https://github.com/advisories/GHSA-gg9m-x3cg-69vh
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.plugins:metrics
Affected Version Ranges: < 4.0.2.7.1, = 4.0.2.8Fixed in: 4.0.2.7.1, 4.0.2.8.1