Vulnerability-Lookup

CVE-2022-27218 (GCVE-0-2022-27218)

Vulnerability from cvelistv5 – Published: 2022-03-15 16:46 – Updated: 2024-08-03 05:25

Summary

Jenkins incapptic connect uploader Plugin 1.15 and earlier stores tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

Severity

4.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Assigner

jenkins

References

2 references

URL	Tags
https://www.jenkins.io/security/advisory/2022-03-…	x_refsource_CONFIRM
http://www.openwall.com/lists/oss-security/2022/03/15/2	mailing-listx_refsource_MLIST

Impacted products

1 product

Vendor	Product	Version
Jenkins project	Jenkins incapptic connect uploader Plugin	Affected: unspecified , ≤ 1.15 (custom) Unknown: next of 1.15 , < unspecified (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T05:25:32.671Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.jenkins.io/security/advisory/2022-03-15/#SECURITY-2273"
          },
          {
            "name": "[oss-security] 20220315 Multiple vulnerabilities in Jenkins plugins",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/03/15/2"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Jenkins incapptic connect uploader Plugin",
          "vendor": "Jenkins project",
          "versions": [
            {
              "lessThanOrEqual": "1.15",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "unspecified",
              "status": "unknown",
              "version": "next of 1.15",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Jenkins incapptic connect uploader Plugin 1.15 and earlier stores tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-24T14:20:44.301Z",
        "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
        "shortName": "jenkins"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.jenkins.io/security/advisory/2022-03-15/#SECURITY-2273"
        },
        {
          "name": "[oss-security] 20220315 Multiple vulnerabilities in Jenkins plugins",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2022/03/15/2"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "jenkinsci-cert@googlegroups.com",
          "ID": "CVE-2022-27218",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Jenkins incapptic connect uploader Plugin",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "1.15"
                          },
                          {
                            "version_affected": "?\u003e",
                            "version_value": "1.15"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Jenkins project"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Jenkins incapptic connect uploader Plugin 1.15 and earlier stores tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-256: Plaintext Storage of a Password"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.jenkins.io/security/advisory/2022-03-15/#SECURITY-2273",
              "refsource": "CONFIRM",
              "url": "https://www.jenkins.io/security/advisory/2022-03-15/#SECURITY-2273"
            },
            {
              "name": "[oss-security] 20220315 Multiple vulnerabilities in Jenkins plugins",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2022/03/15/2"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
    "assignerShortName": "jenkins",
    "cveId": "CVE-2022-27218",
    "datePublished": "2022-03-15T16:46:12.000Z",
    "dateReserved": "2022-03-15T00:00:00.000Z",
    "dateUpdated": "2024-08-03T05:25:32.671Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2022-27218",
      "date": "2026-06-20",
      "epss": "0.00719",
      "percentile": "0.49013"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:jenkins:incapptic_connect_uploader:*:*:*:*:*:jenkins:*:*\", \"versionEndIncluding\": \"1.15\", \"matchCriteriaId\": \"36E10CE5-ED76-44B3-9714-C5C8E5CB9865\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Jenkins incapptic connect uploader Plugin 1.15 and earlier stores tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.\"}, {\"lang\": \"es\", \"value\": \"El Plugin incapptic connect uploader de Jenkins versiones 1.15 y anteriores, almacena los tokens sin cifrar en los archivos job config.xml en el controlador Jenkins donde pueden ser visualizados por los usuarios con permiso de Lectura Extendida, o con acceso al sistema de archivos del controlador Jenkins\"}]",
      "id": "CVE-2022-27218",
      "lastModified": "2024-11-21T06:55:25.967",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\", \"baseScore\": 4.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 1.4}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:S/C:P/I:N/A:N\", \"baseScore\": 4.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.0, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2022-03-15T17:15:12.877",
      "references": "[{\"url\": \"http://www.openwall.com/lists/oss-security/2022/03/15/2\", \"source\": \"jenkinsci-cert@googlegroups.com\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://www.jenkins.io/security/advisory/2022-03-15/#SECURITY-2273\", \"source\": \"jenkinsci-cert@googlegroups.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2022/03/15/2\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://www.jenkins.io/security/advisory/2022-03-15/#SECURITY-2273\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "jenkinsci-cert@googlegroups.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-522\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-27218\",\"sourceIdentifier\":\"jenkinsci-cert@googlegroups.com\",\"published\":\"2022-03-15T17:15:12.877\",\"lastModified\":\"2026-06-17T04:36:31.137\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Jenkins incapptic connect uploader Plugin 1.15 and earlier stores tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.\"},{\"lang\":\"es\",\"value\":\"El Plugin incapptic connect uploader de Jenkins versiones 1.15 y anteriores, almacena los tokens sin cifrar en los archivos job config.xml en el controlador Jenkins donde pueden ser visualizados por los usuarios con permiso de Lectura Extendida, o con acceso al sistema de archivos del controlador Jenkins\"}],\"affected\":[{\"source\":\"jenkinsci-cert@googlegroups.com\",\"affectedData\":[{\"vendor\":\"Jenkins project\",\"product\":\"Jenkins incapptic connect uploader Plugin\",\"versions\":[{\"version\":\"unspecified\",\"lessThanOrEqual\":\"1.15\",\"versionType\":\"custom\",\"status\":\"affected\"},{\"version\":\"next of 1.15\",\"lessThan\":\"unspecified\",\"versionType\":\"custom\",\"status\":\"unknown\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:P/I:N/A:N\",\"baseScore\":4.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-522\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:jenkins:incapptic_connect_uploader:*:*:*:*:*:jenkins:*:*\",\"versionEndIncluding\":\"1.15\",\"matchCriteriaId\":\"36E10CE5-ED76-44B3-9714-C5C8E5CB9865\"}]}]}],\"references\":[{\"url\":\"http://www.openwall.com/lists/oss-security/2022/03/15/2\",\"source\":\"jenkinsci-cert@googlegroups.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://www.jenkins.io/security/advisory/2022-03-15/#SECURITY-2273\",\"source\":\"jenkinsci-cert@googlegroups.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2022/03/15/2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://www.jenkins.io/security/advisory/2022-03-15/#SECURITY-2273\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}

CNVD-2022-79872

Vulnerability from cnvd - Published: 2022-11-23

Title

Jenkins incapptic connect uploader Plugin存在未明漏洞

Description

Jenkins和Jenkins Plugin都是Jenkins开源的产品。Jenkins是一个应用软件。一个开源自动化服务器Jenkins提供了数百个插件来支持构建，部署和自动化任何项目。Jenkins Plugin是一个应用软件。 Jenkins incapptic connect uploader Plugin本存在安全漏洞，该漏洞源于插件将未加密的令牌存储在Jenkins控制器上的config.xml文件中，具有扩展读取权限或访问Jenkins控制器文件系统的攻击者可利用该漏洞查看配置文件和未加密的令牌。

Severity

中

Patch Name

Jenkins incapptic connect uploader Plugin存在未明漏洞的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://www.jenkins.io/security/advisory/2022-03-15/#SECURITY-2273

Reference

https://www.jenkins.io/security/advisory/2022-03-15/#SECURITY-2273

Impacted products

Name
Jenkins incapptic connect uploader Plugin <=1.15

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-27218",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2022-27218"
    }
  },
  "description": "Jenkins\u548cJenkins Plugin\u90fd\u662fJenkins\u5f00\u6e90\u7684\u4ea7\u54c1\u3002Jenkins\u662f\u4e00\u4e2a\u5e94\u7528\u8f6f\u4ef6\u3002\u4e00\u4e2a\u5f00\u6e90\u81ea\u52a8\u5316\u670d\u52a1\u5668Jenkins\u63d0\u4f9b\u4e86\u6570\u767e\u4e2a\u63d2\u4ef6\u6765\u652f\u6301\u6784\u5efa\uff0c\u90e8\u7f72\u548c\u81ea\u52a8\u5316\u4efb\u4f55\u9879\u76ee\u3002Jenkins Plugin\u662f\u4e00\u4e2a\u5e94\u7528\u8f6f\u4ef6\u3002\n\nJenkins incapptic connect uploader Plugin\u672c\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u63d2\u4ef6\u5c06\u672a\u52a0\u5bc6\u7684\u4ee4\u724c\u5b58\u50a8\u5728Jenkins\u63a7\u5236\u5668\u4e0a\u7684config.xml\u6587\u4ef6\u4e2d\uff0c\u5177\u6709\u6269\u5c55\u8bfb\u53d6\u6743\u9650\u6216\u8bbf\u95eeJenkins\u63a7\u5236\u5668\u6587\u4ef6\u7cfb\u7edf\u7684\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u67e5\u770b\u914d\u7f6e\u6587\u4ef6\u548c\u672a\u52a0\u5bc6\u7684\u4ee4\u724c\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.jenkins.io/security/advisory/2022-03-15/#SECURITY-2273",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-79872",
  "openTime": "2022-11-23",
  "patchDescription": "Jenkins\u548cJenkins Plugin\u90fd\u662fJenkins\u5f00\u6e90\u7684\u4ea7\u54c1\u3002Jenkins\u662f\u4e00\u4e2a\u5e94\u7528\u8f6f\u4ef6\u3002\u4e00\u4e2a\u5f00\u6e90\u81ea\u52a8\u5316\u670d\u52a1\u5668Jenkins\u63d0\u4f9b\u4e86\u6570\u767e\u4e2a\u63d2\u4ef6\u6765\u652f\u6301\u6784\u5efa\uff0c\u90e8\u7f72\u548c\u81ea\u52a8\u5316\u4efb\u4f55\u9879\u76ee\u3002Jenkins Plugin\u662f\u4e00\u4e2a\u5e94\u7528\u8f6f\u4ef6\u3002\r\n\r\nJenkins incapptic connect uploader Plugin\u672c\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u63d2\u4ef6\u5c06\u672a\u52a0\u5bc6\u7684\u4ee4\u724c\u5b58\u50a8\u5728Jenkins\u63a7\u5236\u5668\u4e0a\u7684config.xml\u6587\u4ef6\u4e2d\uff0c\u5177\u6709\u6269\u5c55\u8bfb\u53d6\u6743\u9650\u6216\u8bbf\u95eeJenkins\u63a7\u5236\u5668\u6587\u4ef6\u7cfb\u7edf\u7684\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u67e5\u770b\u914d\u7f6e\u6587\u4ef6\u548c\u672a\u52a0\u5bc6\u7684\u4ee4\u724c\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Jenkins incapptic connect uploader Plugin\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Jenkins incapptic connect uploader Plugin \u003c=1.15"
  },
  "referenceLink": "https://www.jenkins.io/security/advisory/2022-03-15/#SECURITY-2273",
  "serverity": "\u4e2d",
  "submitTime": "2022-03-17",
  "title": "Jenkins incapptic connect uploader Plugin\u5b58\u5728\u672a\u660e\u6f0f\u6d1e"
}

FKIE_CVE-2022-27218

Vulnerability from fkie_nvd - Published: 2022-03-15 17:15 - Updated: 2026-06-17 04:36

Severity

4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Summary

References

URL	Tags
jenkinsci-cert@googlegroups.com	http://www.openwall.com/lists/oss-security/2022/03/15/2	Mailing List, Third Party Advisory
jenkinsci-cert@googlegroups.com	https://www.jenkins.io/security/advisory/2022-03-15/#SECURITY-2273	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2022/03/15/2	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.jenkins.io/security/advisory/2022-03-15/#SECURITY-2273	Vendor Advisory

Impacted products

	Vendor	Product	Version
	jenkins	incapptic_connect_uploader	*

JSON

To clipboard

{
  "affected": [
    {
      "affectedData": [
        {
          "product": "Jenkins incapptic connect uploader Plugin",
          "vendor": "Jenkins project",
          "versions": [
            {
              "lessThanOrEqual": "1.15",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "unspecified",
              "status": "unknown",
              "version": "next of 1.15",
              "versionType": "custom"
            }
          ]
        }
      ],
      "source": "jenkinsci-cert@googlegroups.com"
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:jenkins:incapptic_connect_uploader:*:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "36E10CE5-ED76-44B3-9714-C5C8E5CB9865",
              "versionEndIncluding": "1.15",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Jenkins incapptic connect uploader Plugin 1.15 and earlier stores tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system."
    },
    {
      "lang": "es",
      "value": "El Plugin incapptic connect uploader de Jenkins versiones 1.15 y anteriores, almacena los tokens sin cifrar en los archivos job config.xml en el controlador Jenkins donde pueden ser visualizados por los usuarios con permiso de Lectura Extendida, o con acceso al sistema de archivos del controlador Jenkins"
    }
  ],
  "id": "CVE-2022-27218",
  "lastModified": "2026-06-17T04:36:31.137",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 4.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-03-15T17:15:12.877",
  "references": [
    {
      "source": "jenkinsci-cert@googlegroups.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2022/03/15/2"
    },
    {
      "source": "jenkinsci-cert@googlegroups.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.jenkins.io/security/advisory/2022-03-15/#SECURITY-2273"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2022/03/15/2"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.jenkins.io/security/advisory/2022-03-15/#SECURITY-2273"
    }
  ],
  "sourceIdentifier": "jenkinsci-cert@googlegroups.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-522"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-8G9W-5JV6-7M4X

Vulnerability from github – Published: 2022-03-16 00:00 – Updated: 2022-11-30 18:45

Summary

Personal tokens stored in plain text by Jenkins incapptic connect uploader Plugin

Details

Severity

4.3 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.incapptic.plugins:incapptic-connect-uploader"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-27218"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-522"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-30T18:45:18Z",
    "nvd_published_at": "2022-03-15T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins incapptic connect uploader Plugin 1.15 and earlier stores tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.",
  "id": "GHSA-8g9w-5jv6-7m4x",
  "modified": "2022-11-30T18:45:18Z",
  "published": "2022-03-16T00:00:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27218"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/incapptic-connect-uploader-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2022-03-15/#SECURITY-2273"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/03/15/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Personal tokens stored in plain text by Jenkins incapptic connect uploader Plugin"
}

GSD-2022-27218

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Aliases

CVE-2022-27218

Aliases

CVE-2022-27218

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-27218",
    "description": "Jenkins incapptic connect uploader Plugin 1.15 and earlier stores tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.",
    "id": "GSD-2022-27218"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-27218"
      ],
      "details": "Jenkins incapptic connect uploader Plugin 1.15 and earlier stores tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.",
      "id": "GSD-2022-27218",
      "modified": "2023-12-13T01:19:41.470347Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "jenkinsci-cert@googlegroups.com",
        "ID": "CVE-2022-27218",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Jenkins incapptic connect uploader Plugin",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "not down converted",
                          "x_cve_json_5_version_data": {
                            "versions": [
                              {
                                "lessThanOrEqual": "1.15",
                                "status": "affected",
                                "version": "unspecified",
                                "versionType": "custom"
                              },
                              {
                                "lessThan": "unspecified",
                                "status": "unknown",
                                "version": "next of 1.15",
                                "versionType": "custom"
                              }
                            ]
                          }
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Jenkins project"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Jenkins incapptic connect uploader Plugin 1.15 and earlier stores tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://www.jenkins.io/security/advisory/2022-03-15/#SECURITY-2273",
            "refsource": "MISC",
            "url": "https://www.jenkins.io/security/advisory/2022-03-15/#SECURITY-2273"
          },
          {
            "name": "http://www.openwall.com/lists/oss-security/2022/03/15/2",
            "refsource": "MISC",
            "url": "http://www.openwall.com/lists/oss-security/2022/03/15/2"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "(,1.15]",
          "affected_versions": "All versions up to 1.15",
          "cvss_v2": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937"
          ],
          "date": "2022-11-30",
          "description": "Jenkins incapptic connect uploader Plugin 1.15 and earlier stores tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.",
          "fixed_versions": [],
          "identifier": "CVE-2022-27218",
          "identifiers": [
            "GHSA-8g9w-5jv6-7m4x",
            "CVE-2022-27218"
          ],
          "not_impacted": "",
          "package_slug": "maven/com.incapptic.plugins/incapptic-connect-uploader",
          "pubdate": "2022-03-16",
          "solution": "Unfortunately, there is no solution available yet.",
          "title": "Personal tokens stored in plain text by Jenkins incapptic connect uploader Plugin",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-27218",
            "https://www.jenkins.io/security/advisory/2022-03-15/#SECURITY-2273",
            "http://www.openwall.com/lists/oss-security/2022/03/15/2",
            "https://github.com/advisories/GHSA-8g9w-5jv6-7m4x"
          ],
          "uuid": "49e6220f-0164-4303-b853-63f8cb242838"
        }
      ]
    },
    "nvd.nist.gov": {
      "cve": {
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:jenkins:incapptic_connect_uploader:*:*:*:*:*:jenkins:*:*",
                    "matchCriteriaId": "36E10CE5-ED76-44B3-9714-C5C8E5CB9865",
                    "versionEndIncluding": "1.15",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "Jenkins incapptic connect uploader Plugin 1.15 and earlier stores tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system."
          },
          {
            "lang": "es",
            "value": "El Plugin incapptic connect uploader de Jenkins versiones 1.15 y anteriores, almacena los tokens sin cifrar en los archivos job config.xml en el controlador Jenkins donde pueden ser visualizados por los usuarios con permiso de Lectura Extendida, o con acceso al sistema de archivos del controlador Jenkins"
          }
        ],
        "id": "CVE-2022-27218",
        "lastModified": "2023-12-21T21:53:32.773",
        "metrics": {
          "cvssMetricV2": [
            {
              "acInsufInfo": false,
              "baseSeverity": "MEDIUM",
              "cvssData": {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "SINGLE",
                "availabilityImpact": "NONE",
                "baseScore": 4.0,
                "confidentialityImpact": "PARTIAL",
                "integrityImpact": "NONE",
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
                "version": "2.0"
              },
              "exploitabilityScore": 8.0,
              "impactScore": 2.9,
              "obtainAllPrivilege": false,
              "obtainOtherPrivilege": false,
              "obtainUserPrivilege": false,
              "source": "nvd@nist.gov",
              "type": "Primary",
              "userInteractionRequired": false
            }
          ],
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "exploitabilityScore": 2.8,
              "impactScore": 1.4,
              "source": "nvd@nist.gov",
              "type": "Primary"
            }
          ]
        },
        "published": "2022-03-15T17:15:12.877",
        "references": [
          {
            "source": "jenkinsci-cert@googlegroups.com",
            "tags": [
              "Mailing List",
              "Third Party Advisory"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/03/15/2"
          },
          {
            "source": "jenkinsci-cert@googlegroups.com",
            "tags": [
              "Vendor Advisory"
            ],
            "url": "https://www.jenkins.io/security/advisory/2022-03-15/#SECURITY-2273"
          }
        ],
        "sourceIdentifier": "jenkinsci-cert@googlegroups.com",
        "vulnStatus": "Analyzed",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-522"
              }
            ],
            "source": "nvd@nist.gov",
            "type": "Primary"
          }
        ]
      }
    }
  }
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-27218 (GCVE-0-2022-27218)

CNVD-2022-79872

FKIE_CVE-2022-27218

GHSA-8G9W-5JV6-7M4X

GSD-2022-27218

Tags

Sightings

Nomenclature