CVE-2022-23114: Jenkins Publish Over SSH Plugin 1.22 and earlier stores password unencrypted in its global configuration file on the Jenkins controller where it can be viewed…

low3.3CVSS 3.1

AVLACLPRLUINSUCLINAN

Jenkins Publish Over SSH Plugin 1.22 and earlier stores password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

Affected

25 ranges

Vendor	Product	Version range	Fixed in
jenkins	active_directory_plugin	—	—
jenkins	badge_plugin	—	—
jenkins	bitbucket_branch_source_plugin	—	—
jenkins	configuration_as_code_plugin	—	—
jenkins	conjur_secrets_plugin	—	—
jenkins	credentials_binding_plugin	—	—
jenkins	credentials_plugin	—	—
jenkins	debian_package_builder_plugin	—	—
jenkins	docker_commons_plugin	—	—
jenkins	groovy_plugin	—	—
jenkins	hashicorp_vault_plugin	—	—
jenkins	ids_in_bitbucket_branch_source_plugin	—	—
jenkins	improper_credentials_masking_in_hashicorp_vault_plugin	—	—
jenkins	jenkins_core	—	—
jenkins	jenkins_lts	—	—
jenkins	jenkins_ui_requesting_they_update_the_plugin	—	—
jenkins	jenkins_weekly	—	—
jenkins	mailer_plugin	—	—
jenkins	matrix_project_plugin	—	—
jenkins	metrics_plugin	—	—
jenkins	publish_over_ssh	<= 1.22	—
jenkins	publish_over_ssh_plugin	—	—
jenkins	ssh_agent_plugin	—	—
jenkins	warnings_plugin	—	—
jenkins_project	jenkins_publish_over_ssh_plugin	unspecified – 1.22	—