CVE-2022-36901 - OpenCVE

Jenkins HTTP Request Plugin 1.15 and earlier stores HTTP Request passwords unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Jenkins	Http Request

Configuration 1 [-]

cpe:2.3:a:jenkins:http_request:*:*:*:*:*:jenkins:*:*

References

Link	Resource
http://www.openwall.com/lists/oss-security/2022/07/27/1	Mailing List Third Party Advisory
https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-2053	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: jenkins

Published: 2022-07-27T14:25:00

Updated: 2023-10-24T14:24:17.891Z

Reserved: 2022-07-27T00:00:00

Link: CVE-2022-36901

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-07-27T15:15:09.827

Modified: 2023-11-02T21:06:17.390

Link: CVE-2022-36901

JSON object: View

Redhat Information

No data.

CWE

CWE-522

{"containers": {"cna": {"affected": [{"product": "Jenkins HTTP Request Plugin", "vendor": "Jenkins project", "versions": [{"lessThanOrEqual": "1.15", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "unknown", "version": "next of 1.15", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Jenkins HTTP Request Plugin 1.15 and earlier stores HTTP Request passwords unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system."}], "providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2023-10-24T14:24:17.891Z"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-2053"}, {"name": "[oss-security] 20220727 Multiple vulnerabilities in Jenkins plugins", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2022/07/27/1"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "jenkinsci-cert@googlegroups.com", "ID": "CVE-2022-36901", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Jenkins HTTP Request Plugin", "version": {"version_data": [{"version_affected": "<=", "version_value": "1.15"}, {"version_affected": "?>", "version_value": "1.15"}]}}]}, "vendor_name": "Jenkins project"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Jenkins HTTP Request Plugin 1.15 and earlier stores HTTP Request passwords unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-256: Plaintext Storage of a Password"}]}]}, "references": {"reference_data": [{"name": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-2053", "refsource": "CONFIRM", "url": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-2053"}, {"name": "[oss-security] 20220727 Multiple vulnerabilities in Jenkins plugins", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2022/07/27/1"}]}}}}, "cveMetadata": {"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2022-36901", "datePublished": "2022-07-27T14:25:00", "dateReserved": "2022-07-27T00:00:00", "dateUpdated": "2023-10-24T14:24:17.891Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}