Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS1nZzltLXgzY2ctNjl2aM0ijw

Access key stored in plain text by Jenkins Metrics Plugin

Jenkins Metrics Plugin 4.0.2.8 and earlier stores an access key unencrypted in its global configuration file jenkins.metrics.api.MetricsAccessKey.xml on the Jenkins controller as part of its configuration.

This access key can be viewed by users with access to the Jenkins controller file system.

Jenkins Metrics Plugin 4.0.2.8.1 stores access key encrypted once its configuration is saved again.

Additionally, the token value is only displayed once when it is generated.

Permalink: https://github.com/advisories/GHSA-gg9m-x3cg-69vh
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nZzltLXgzY2ctNjl2aM0ijw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 3 years ago
Updated: 12 months ago

CVSS Score: 5.5
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Identifiers: GHSA-gg9m-x3cg-69vh, CVE-2022-20621
References:

• https://nvd.nist.gov/vuln/detail/CVE-2022-20621
• https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-1624
• http://www.openwall.com/lists/oss-security/2022/01/12/6
• https://github.com/jenkinsci/metrics-plugin/commit/9810480370d4c5e04a2b710934db5461bde0d1b6
• https://github.com/advisories/GHSA-gg9m-x3cg-69vh

Repository: https://github.com/jenkinsci/metrics-plugin
Blast Radius: 1.0

Affected Packages