CVE-2022-34802

CWE-522 — Insufficiently Protected Credentials CWE-2565 documents5 sources

Severity

4.3MEDIUM

EPSS

0.3%

top 49.29%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins Rocketchat Notifier Plugin Jenkins Rocketchat Notifier

Timeline

PublishedJun 30

Latest updateJul 1

Description

Jenkins RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

▶Mavenorg.jenkins-ci.plugins:rocketchatnotifier1.5.2

▶CVEListV5jenkins_project/jenkins_rocketchat_notifier_pluginunspecified — 1.5.2

▶NVDjenkins/rocketchat_notifier1.5.2

🔴Vulnerability Details

GHSA

Plaintext Storage of a Password in Jenkins RocketChat Notifier Plugin↗2022-07-01

▶

OSV

Plaintext Storage of a Password in Jenkins RocketChat Notifier Plugin↗2022-07-01

▶

CVEList

CVE-2022-34802: Jenkins RocketChat Notifier Plugin 1↗2022-06-30

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2022-06-30↗2022-06-30

▶