CVE-2022-45384

CWE-522 — Insufficiently Protected Credentials CWE-2565 documents5 sources

Severity

6.5MEDIUM

EPSS

0.8%

top 26.81%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Reverse Proxy Auth Jenkins Project Jenkins Reverse Proxy Auth Plugin

Timeline

PublishedNov 15

Latest updateNov 16

Description

Jenkins Reverse Proxy Auth Plugin 1.7.3 and earlier stores the LDAP manager password unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by attackers with access to the Jenkins controller file system.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶Mavenorg.jenkins-ci.main:reverse-proxy-auth-plugin1.7.3 — 1.7.4

▶CVEListV5jenkins_project/jenkins_reverse_proxy_auth_pluginunspecified — 1.7.3

▶NVDjenkins/reverse_proxy_auth< 1.7.4

🔴Vulnerability Details

GHSA

Jenkins Reverse Proxy Auth Plugin vulnerable due to plaintext storage of passwords↗2022-11-16

▶

OSV

Jenkins Reverse Proxy Auth Plugin vulnerable due to plaintext storage of passwords↗2022-11-16

▶

CVEList

CVE-2022-45384: Jenkins Reverse Proxy Auth Plugin 1↗2022-11-15

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2022-11-15↗2022-11-15

▶