CVE-2022-45392 — Insufficiently Protected Credentials in Jenkins Ns-nd Integration Performance Publisher

CWE-522 — Insufficiently Protected Credentials CWE-256 — Plaintext Storage of a Password5 documents5 sources

Severity

6.5MEDIUMNVD

EPSS

0.4%

top 42.22%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Ns-nd Integration Performance Publisher Jenkins Project Jenkins Ns-nd Integration Performance Publisher Plugin

Timeline

PublishedNov 15

Latest updateNov 16

Description

Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by attackers with Extended Read permission, or access to the Jenkins controller file system.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5jenkins_project/jenkins_ns-nd_integration_performance_publisher_pluginunspecified — 4.8.0.143

▶NVDjenkins/ns-nd_integration_performance_publisher< 4.8.0.146

🔴Vulnerability Details

GHSA

Plaintext Storage of a Password in Jenkins NS-ND Integration Performance Publisher Plugin↗2022-11-16

▶

OSV

Plaintext Storage of a Password in Jenkins NS-ND Integration Performance Publisher Plugin↗2022-11-16

▶

CVEList

CVE-2022-45392: Jenkins NS-ND Integration Performance Publisher Plugin 4↗2022-11-15

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2022-11-15↗2022-11-15

▶