CVE-2022-29052

CWE-522 — Insufficiently Protected Credentials5 documents5 sources

Severity

4.3MEDIUM

EPSS

0.1%

top 65.05%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins Google Compute Engine Plugin Jenkins Google Compute Engine

Timeline

PublishedApr 12

Latest updateApr 13

Description

Jenkins Google Compute Engine Plugin 4.3.8 and earlier stores private keys unencrypted in cloud agent config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

▶Mavenorg.jenkins-ci.plugins:google-compute-engine< 4.3.9

▶CVEListV5jenkins_project/jenkins_google_compute_engine_pluginunspecified — 4.3.8

▶NVDjenkins/google_compute_engine4.3.8

🔴Vulnerability Details

OSV

Private key stored in plain text by Jenkins Google Compute Engine Plugin↗2022-04-13

▶

GHSA

Private key stored in plain text by Jenkins Google Compute Engine Plugin↗2022-04-13

▶

CVEList

CVE-2022-29052: Jenkins Google Compute Engine Plugin 4↗2022-04-12

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2022-04-12↗2022-04-12

▶