CVE-2022-27195Log File Information Exposure in Jenkins Parameterized Trigger

CWE-532Log File Information ExposureCWE-200Sensitive Information ExposureCWE-526Cleartext Storage of Sensitive Information in an Environment Variable6 documents6 sources
Severity
5.5MEDIUMNVD
EPSS
0.4%
top 38.90%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
14
Jenkins Parameterized TriggerJenkins Project Jenkins Parameterized Trigger PluginJenkins AWS Credentials Plugin+11 more
Timeline
PublishedMar 15
Latest updateMar 16

Description

Jenkins Parameterized Trigger Plugin 2.43 and earlier captures environment variables passed to builds triggered using Jenkins Parameterized Trigger Plugin, including password parameter values, in their `build.xml` files. These values are stored unencrypted and can be viewed by users with access to the Jenkins controller file system.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages14 packages

🔴Vulnerability Details

2
OSV
Sensitive parameter values captured in build metadata files by Jenkins Parameterized Trigger Plugin2022-03-16
GHSA
Sensitive parameter values captured in build metadata files by Jenkins Parameterized Trigger Plugin2022-03-16

📋Vendor Advisories

2
Red Hat
jenkins-2-plugins/parameterized-trigger: Information disclosure2022-03-15
Jenkins
Jenkins Security Advisory 2022-03-152022-03-15

📐Framework References

1
CWE
Cleartext Storage of Sensitive Information in an Environment Variable