CVE-2022-41255Insufficiently Protected Credentials in Project Jenkins Cons3rt Plugin

CWE-522Insufficiently Protected CredentialsCWE-256Plaintext Storage of a Password5 documents5 sources
Severity
6.5MEDIUMNVD
EPSS
0.3%
top 42.57%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Jenkins Project Jenkins Cons3rt PluginJenkins Cons3rt
Timeline
PublishedSep 21
Latest updateSep 22

Description

Jenkins CONS3RT Plugin 1.0.0 and earlier stores Cons3rt API token unencrypted in job config.xml files on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

CVEListV5jenkins_project/jenkins_cons3rt_pluginunspecified1.0.0
NVDjenkins/cons3rt1.0.0

🔴Vulnerability Details

3
OSV
API token stored in plain text by Jenkins CONS3RT Plugin2022-09-22
GHSA
API token stored in plain text by Jenkins CONS3RT Plugin2022-09-22
CVEList
CVE-2022-41255: Jenkins CONS3RT Plugin 12022-09-21

📋Vendor Advisories

1
Jenkins
Jenkins Security Advisory 2022-09-212022-09-21
CVE-2022-41255 — Insufficiently Protected Credentials | cvebase