cvelistv5 - CVE-2022-29052

CVE-2022-29052 (GCVE-0-2022-29052)

Vulnerability from cvelistv5 – Published: 2022-04-12 19:50 – Updated: 2024-10-15 17:13

Summary

Jenkins Google Compute Engine Plugin 4.3.8 and earlier stores private keys unencrypted in cloud agent config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

Severity ?

No CVSS data available.

Assigner

jenkins

References

URL

Tags

https://www.jenkins.io/security/advisory/2022-04-…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	Jenkins project	Jenkins Google Compute Engine Plugin	Affected: unspecified , ≤ 4.3.8 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T06:10:59.255Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-2045"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-29052",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-15T17:09:22.271016Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-15T17:13:31.123Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Jenkins Google Compute Engine Plugin",
          "vendor": "Jenkins project",
          "versions": [
            {
              "lessThanOrEqual": "4.3.8",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Jenkins Google Compute Engine Plugin 4.3.8 and earlier stores private keys unencrypted in cloud agent config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-24T14:21:37.934Z",
        "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
        "shortName": "jenkins"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-2045"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "jenkinsci-cert@googlegroups.com",
          "ID": "CVE-2022-29052",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Jenkins Google Compute Engine Plugin",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "4.3.8"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Jenkins project"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Jenkins Google Compute Engine Plugin 4.3.8 and earlier stores private keys unencrypted in cloud agent config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-256: Plaintext Storage of a Password"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-2045",
              "refsource": "CONFIRM",
              "url": "https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-2045"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
    "assignerShortName": "jenkins",
    "cveId": "CVE-2022-29052",
    "datePublished": "2022-04-12T19:50:54",
    "dateReserved": "2022-04-11T00:00:00",
    "dateUpdated": "2024-10-15T17:13:31.123Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:jenkins:google_compute_engine:*:*:*:*:*:jenkins:*:*\", \"versionEndIncluding\": \"4.3.8\", \"matchCriteriaId\": \"70E815FC-0CFA-41E9-96B9-64CE6B0C3385\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Jenkins Google Compute Engine Plugin 4.3.8 and earlier stores private keys unencrypted in cloud agent config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.\"}, {\"lang\": \"es\", \"value\": \"Jenkins Google Compute Engine Plugin versiones 4.3.8 y anteriores, almacena las claves privadas sin cifrar en los archivos config.xml del agente de la nube en el controlador de Jenkins, donde pueden ser visualizados por usuarios con permiso de Lectura Extendida, o el acceso al sistema de archivos del controlador de Jenkins\"}]",
      "id": "CVE-2022-29052",
      "lastModified": "2024-11-21T06:58:24.787",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\", \"baseScore\": 4.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 1.4}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:S/C:P/I:N/A:N\", \"baseScore\": 4.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.0, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2022-04-12T20:15:09.850",
      "references": "[{\"url\": \"https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-2045\", \"source\": \"jenkinsci-cert@googlegroups.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-2045\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "jenkinsci-cert@googlegroups.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-522\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-29052\",\"sourceIdentifier\":\"jenkinsci-cert@googlegroups.com\",\"published\":\"2022-04-12T20:15:09.850\",\"lastModified\":\"2024-11-21T06:58:24.787\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Jenkins Google Compute Engine Plugin 4.3.8 and earlier stores private keys unencrypted in cloud agent config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.\"},{\"lang\":\"es\",\"value\":\"Jenkins Google Compute Engine Plugin versiones 4.3.8 y anteriores, almacena las claves privadas sin cifrar en los archivos config.xml del agente de la nube en el controlador de Jenkins, donde pueden ser visualizados por usuarios con permiso de Lectura Extendida, o el acceso al sistema de archivos del controlador de Jenkins\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:P/I:N/A:N\",\"baseScore\":4.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-522\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:jenkins:google_compute_engine:*:*:*:*:*:jenkins:*:*\",\"versionEndIncluding\":\"4.3.8\",\"matchCriteriaId\":\"70E815FC-0CFA-41E9-96B9-64CE6B0C3385\"}]}]}],\"references\":[{\"url\":\"https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-2045\",\"source\":\"jenkinsci-cert@googlegroups.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-2045\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-2045\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T06:10:59.255Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-29052\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-10-15T17:09:22.271016Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-10-15T17:10:56.932Z\"}}], \"cna\": {\"affected\": [{\"vendor\": \"Jenkins project\", \"product\": \"Jenkins Google Compute Engine Plugin\", \"versions\": [{\"status\": \"affected\", \"version\": \"unspecified\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"4.3.8\"}]}], \"references\": [{\"url\": \"https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-2045\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Jenkins Google Compute Engine Plugin 4.3.8 and earlier stores private keys unencrypted in cloud agent config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.\"}], \"providerMetadata\": {\"orgId\": \"39769cd5-e6e2-4dc8-927e-97b3aa056f5b\", \"shortName\": \"jenkins\", \"dateUpdated\": \"2023-10-24T14:21:37.934Z\"}, \"x_legacyV4Record\": {\"affects\": {\"vendor\": {\"vendor_data\": [{\"product\": {\"product_data\": [{\"version\": {\"version_data\": [{\"version_value\": \"4.3.8\", \"version_affected\": \"\u003c=\"}]}, \"product_name\": \"Jenkins Google Compute Engine Plugin\"}]}, \"vendor_name\": \"Jenkins project\"}]}}, \"data_type\": \"CVE\", \"references\": {\"reference_data\": [{\"url\": \"https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-2045\", \"name\": \"https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-2045\", \"refsource\": \"CONFIRM\"}]}, \"data_format\": \"MITRE\", \"description\": {\"description_data\": [{\"lang\": \"eng\", \"value\": \"Jenkins Google Compute Engine Plugin 4.3.8 and earlier stores private keys unencrypted in cloud agent config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.\"}]}, \"problemtype\": {\"problemtype_data\": [{\"description\": [{\"lang\": \"eng\", \"value\": \"CWE-256: Plaintext Storage of a Password\"}]}]}, \"data_version\": \"4.0\", \"CVE_data_meta\": {\"ID\": \"CVE-2022-29052\", \"STATE\": \"PUBLIC\", \"ASSIGNER\": \"jenkinsci-cert@googlegroups.com\"}}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2022-29052\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-10-15T17:13:31.123Z\", \"dateReserved\": \"2022-04-11T00:00:00\", \"assignerOrgId\": \"39769cd5-e6e2-4dc8-927e-97b3aa056f5b\", \"datePublished\": \"2022-04-12T19:50:54\", \"assignerShortName\": \"jenkins\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

FKIE_CVE-2022-29052

Vulnerability from fkie_nvd - Published: 2022-04-12 20:15 - Updated: 2024-11-21 06:58

Severity ?

4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Summary

References

	URL	Tags
	jenkinsci-cert@googlegroups.com	https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-2045	Vendor Advisory
	af854a3a-2127-422b-91ae-364da2661108	https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-2045	Vendor Advisory

Impacted products

	Vendor	Product	Version
	jenkins	google_compute_engine	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:jenkins:google_compute_engine:*:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "70E815FC-0CFA-41E9-96B9-64CE6B0C3385",
              "versionEndIncluding": "4.3.8",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Jenkins Google Compute Engine Plugin 4.3.8 and earlier stores private keys unencrypted in cloud agent config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system."
    },
    {
      "lang": "es",
      "value": "Jenkins Google Compute Engine Plugin versiones 4.3.8 y anteriores, almacena las claves privadas sin cifrar en los archivos config.xml del agente de la nube en el controlador de Jenkins, donde pueden ser visualizados por usuarios con permiso de Lectura Extendida, o el acceso al sistema de archivos del controlador de Jenkins"
    }
  ],
  "id": "CVE-2022-29052",
  "lastModified": "2024-11-21T06:58:24.787",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 4.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-04-12T20:15:09.850",
  "references": [
    {
      "source": "jenkinsci-cert@googlegroups.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-2045"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-2045"
    }
  ],
  "sourceIdentifier": "jenkinsci-cert@googlegroups.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-522"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GSD-2022-29052

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Aliases

CVE-2022-29052

Aliases

CVE-2022-29052

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-29052",
    "description": "Jenkins Google Compute Engine Plugin 4.3.8 and earlier stores private keys unencrypted in cloud agent config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.",
    "id": "GSD-2022-29052"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-29052"
      ],
      "details": "Jenkins Google Compute Engine Plugin 4.3.8 and earlier stores private keys unencrypted in cloud agent config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.",
      "id": "GSD-2022-29052",
      "modified": "2023-12-13T01:19:42.557724Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "jenkinsci-cert@googlegroups.com",
        "ID": "CVE-2022-29052",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Jenkins Google Compute Engine Plugin",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c=",
                          "version_name": "unspecified",
                          "version_value": "4.3.8"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Jenkins project"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Jenkins Google Compute Engine Plugin 4.3.8 and earlier stores private keys unencrypted in cloud agent config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-2045",
            "refsource": "MISC",
            "url": "https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-2045"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "(,4.3.8]",
          "affected_versions": "All versions up to 4.3.8",
          "cvss_v2": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-522",
            "CWE-937"
          ],
          "date": "2022-04-20",
          "description": "Jenkins Google Compute Engine Plugin 4.3.8 and earlier stores private keys unencrypted in cloud agent config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.",
          "fixed_versions": [],
          "identifier": "CVE-2022-29052",
          "identifiers": [
            "CVE-2022-29052"
          ],
          "not_impacted": "",
          "package_slug": "maven/org.jenkins-ci.plugins/google-compute-engine",
          "pubdate": "2022-04-12",
          "solution": "Unfortunately, there is no solution available yet.",
          "title": "Insufficiently Protected Credentials",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-29052",
            "https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-2045"
          ],
          "uuid": "077b0bdf-b7b9-4ba8-929e-bef32945b1b7"
        }
      ]
    },
    "nvd.nist.gov": {
      "cve": {
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:jenkins:google_compute_engine:*:*:*:*:*:jenkins:*:*",
                    "matchCriteriaId": "70E815FC-0CFA-41E9-96B9-64CE6B0C3385",
                    "versionEndIncluding": "4.3.8",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "Jenkins Google Compute Engine Plugin 4.3.8 and earlier stores private keys unencrypted in cloud agent config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system."
          },
          {
            "lang": "es",
            "value": "Jenkins Google Compute Engine Plugin versiones 4.3.8 y anteriores, almacena las claves privadas sin cifrar en los archivos config.xml del agente de la nube en el controlador de Jenkins, donde pueden ser visualizados por usuarios con permiso de Lectura Extendida, o el acceso al sistema de archivos del controlador de Jenkins"
          }
        ],
        "id": "CVE-2022-29052",
        "lastModified": "2023-12-22T16:23:18.697",
        "metrics": {
          "cvssMetricV2": [
            {
              "acInsufInfo": false,
              "baseSeverity": "MEDIUM",
              "cvssData": {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "SINGLE",
                "availabilityImpact": "NONE",
                "baseScore": 4.0,
                "confidentialityImpact": "PARTIAL",
                "integrityImpact": "NONE",
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
                "version": "2.0"
              },
              "exploitabilityScore": 8.0,
              "impactScore": 2.9,
              "obtainAllPrivilege": false,
              "obtainOtherPrivilege": false,
              "obtainUserPrivilege": false,
              "source": "nvd@nist.gov",
              "type": "Primary",
              "userInteractionRequired": false
            }
          ],
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "exploitabilityScore": 2.8,
              "impactScore": 1.4,
              "source": "nvd@nist.gov",
              "type": "Primary"
            }
          ]
        },
        "published": "2022-04-12T20:15:09.850",
        "references": [
          {
            "source": "jenkinsci-cert@googlegroups.com",
            "tags": [
              "Vendor Advisory"
            ],
            "url": "https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-2045"
          }
        ],
        "sourceIdentifier": "jenkinsci-cert@googlegroups.com",
        "vulnStatus": "Analyzed",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-522"
              }
            ],
            "source": "nvd@nist.gov",
            "type": "Primary"
          }
        ]
      }
    }
  }
}

CNVD-2022-79940

Vulnerability from cnvd - Published: 2022-11-23

Title

Jenkins Google Compute Engine Plugin存在未明漏洞

Description

Jenkins是Jenkins开源的一个应用软件。一个开源自动化服务器Jenkins提供了数百个插件来支持构建，部署和自动化任何项目。 Jenkins Google Compute Engine Plugin存在安全漏洞，该漏洞源于将未加密的私钥存储在Jenkins控制器上的云代理config.xml文件中，具有扩展读权限的攻击者可利用该漏洞查看这些私钥，或者访问Jenkins控制器文件系统。

Severity

中

Patch Name

Jenkins Google Compute Engine Plugin存在未明漏洞的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-2045

Reference

https://nvd.nist.gov/vuln/detail/CVE-2022-29052

Impacted products

Name
Jenkins Google Compute Engine Plugin <=4.3.8

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-29052",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2022-29052"
    }
  },
  "description": "Jenkins\u662fJenkins\u5f00\u6e90\u7684\u4e00\u4e2a\u5e94\u7528\u8f6f\u4ef6\u3002\u4e00\u4e2a\u5f00\u6e90\u81ea\u52a8\u5316\u670d\u52a1\u5668Jenkins\u63d0\u4f9b\u4e86\u6570\u767e\u4e2a\u63d2\u4ef6\u6765\u652f\u6301\u6784\u5efa\uff0c\u90e8\u7f72\u548c\u81ea\u52a8\u5316\u4efb\u4f55\u9879\u76ee\u3002\n\nJenkins Google Compute Engine Plugin\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5c06\u672a\u52a0\u5bc6\u7684\u79c1\u94a5\u5b58\u50a8\u5728Jenkins\u63a7\u5236\u5668\u4e0a\u7684\u4e91\u4ee3\u7406config.xml\u6587\u4ef6\u4e2d\uff0c\u5177\u6709\u6269\u5c55\u8bfb\u6743\u9650\u7684\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u67e5\u770b\u8fd9\u4e9b\u79c1\u94a5\uff0c\u6216\u8005\u8bbf\u95eeJenkins\u63a7\u5236\u5668\u6587\u4ef6\u7cfb\u7edf\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-2045",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-79940",
  "openTime": "2022-11-23",
  "patchDescription": "Jenkins\u662fJenkins\u5f00\u6e90\u7684\u4e00\u4e2a\u5e94\u7528\u8f6f\u4ef6\u3002\u4e00\u4e2a\u5f00\u6e90\u81ea\u52a8\u5316\u670d\u52a1\u5668Jenkins\u63d0\u4f9b\u4e86\u6570\u767e\u4e2a\u63d2\u4ef6\u6765\u652f\u6301\u6784\u5efa\uff0c\u90e8\u7f72\u548c\u81ea\u52a8\u5316\u4efb\u4f55\u9879\u76ee\u3002\r\n\r\nJenkins Google Compute Engine Plugin\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5c06\u672a\u52a0\u5bc6\u7684\u79c1\u94a5\u5b58\u50a8\u5728Jenkins\u63a7\u5236\u5668\u4e0a\u7684\u4e91\u4ee3\u7406config.xml\u6587\u4ef6\u4e2d\uff0c\u5177\u6709\u6269\u5c55\u8bfb\u6743\u9650\u7684\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u67e5\u770b\u8fd9\u4e9b\u79c1\u94a5\uff0c\u6216\u8005\u8bbf\u95eeJenkins\u63a7\u5236\u5668\u6587\u4ef6\u7cfb\u7edf\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Jenkins Google Compute Engine Plugin\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Jenkins Google Compute Engine Plugin \u003c=4.3.8"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2022-29052",
  "serverity": "\u4e2d",
  "submitTime": "2022-04-13",
  "title": "Jenkins Google Compute Engine Plugin\u5b58\u5728\u672a\u660e\u6f0f\u6d1e"
}

GHSA-VHXQ-9MPV-GJ87

Vulnerability from github – Published: 2022-04-13 00:00 – Updated: 2022-12-01 23:42

Summary

Private key stored in plain text by Jenkins Google Compute Engine Plugin

Details

Jenkins Google Compute Engine Plugin 4.3.8 and earlier stores private keys unencrypted in cloud agent config.xml files on the Jenkins controller where they can be viewed by users with Agent/Extended Read permission, or access to the Jenkins controller file system.

Severity ?

4.3 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:google-compute-engine"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.3.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-29052"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-522"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-01T23:42:49Z",
    "nvd_published_at": "2022-04-12T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins Google Compute Engine Plugin 4.3.8 and earlier stores private keys unencrypted in cloud agent `config.xml` files on the Jenkins controller where they can be viewed by users with Agent/Extended Read permission, or access to the Jenkins controller file system.",
  "id": "GHSA-vhxq-9mpv-gj87",
  "modified": "2022-12-01T23:42:49Z",
  "published": "2022-04-13T00:00:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29052"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/google-compute-engine-plugin/commit/16d2ae71a1b34c81db1d74f83c41577536e5256f"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-2045"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Private key stored in plain text by Jenkins Google Compute Engine Plugin"
}

WID-SEC-W-2022-0265

Vulnerability from csaf_certbund - Published: 2022-04-12 22:00 - Updated: 2023-03-06 23:00

Summary

Jenkins: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Jenkins ist ein erweiterbarer, webbasierter Integration Server zur kontinuierlichen Unterstützung bei Softwareentwicklungen aller Art.

Angriff

Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Jenkins ausnutzen, um vertrauliche Informationen offenzulegen, Sicherheitsmaßnahmen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuführen und Dateien zu manipulieren.

Betroffene Betriebssysteme

- UNIX - Linux - Windows - Sonstiges

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Jenkins ist ein erweiterbarer, webbasierter Integration Server zur kontinuierlichen Unterst\u00fctzung bei Softwareentwicklungen aller Art.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Jenkins ausnutzen, um vertrauliche Informationen offenzulegen, Sicherheitsma\u00dfnahmen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren und Dateien zu manipulieren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- UNIX\n- Linux\n- Windows\n- Sonstiges",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2022-0265 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2022/wid-sec-w-2022-0265.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2022-0265 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0265"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2023:1064 vom 2023-03-06",
        "url": "https://access.redhat.com/errata/RHSA-2023:1064"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2022:2280 vom 2022-05-31",
        "url": "https://access.redhat.com/errata/RHSA-2022:2280"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2022:2205 vom 2022-05-19",
        "url": "https://access.redhat.com/errata/RHSA-2022:2205"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2022:4947 vom 2022-06-17",
        "url": "https://access.redhat.com/errata/RHSA-2022:4947"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2022:4909 vom 2022-06-10",
        "url": "https://access.redhat.com/errata/RHSA-2022:4909"
      },
      {
        "category": "external",
        "summary": "Jenkins Security Advisory vom 2022-04-12",
        "url": "https://www.jenkins.io/security/advisory/2022-04-12/"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2022:2281 vom 2022-05-31",
        "url": "https://access.redhat.com/errata/RHSA-2022:2281"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2023:0017 vom 2023-01-12",
        "url": "https://access.redhat.com/errata/RHSA-2023:0017"
      }
    ],
    "source_lang": "en-US",
    "title": "Jenkins: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2023-03-06T23:00:00.000+00:00",
      "generator": {
        "date": "2024-08-15T17:27:43.827+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.5"
        }
      },
      "id": "WID-SEC-W-2022-0265",
      "initial_release_date": "2022-04-12T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2022-04-12T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2022-05-18T22:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2022-05-30T22:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2022-05-31T22:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2022-06-09T22:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2022-06-19T22:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2023-01-12T23:00:00.000+00:00",
          "number": "7",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2023-03-06T23:00:00.000+00:00",
          "number": "8",
          "summary": "Neue Updates von Red Hat aufgenommen"
        }
      ],
      "status": "final",
      "version": "8"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Jenkins Jenkins",
            "product": {
              "name": "Jenkins Jenkins",
              "product_id": "T015880",
              "product_identification_helper": {
                "cpe": "cpe:/a:cloudbees:jenkins:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Jenkins"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Red Hat Enterprise Linux",
            "product": {
              "name": "Red Hat Enterprise Linux",
              "product_id": "67646",
              "product_identification_helper": {
                "cpe": "cpe:/o:redhat:enterprise_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2017-2601",
      "notes": [
        {
          "category": "description",
          "text": "Es existieren mehrere Schwachstellen in Jenkins. Die Fehler befinden sich in den folgenden Plugins: Credentials Plugin, CVS Plugin, Extended Choice Parameter Plugin, Gerrit Trigger Plugin, Git Parameter Plugin, Google Compute Engine Plugin, Jira Plugin, Job Generator Plugin, Mask Passwords Plugin, Node and Label parameter Plugin, Pipeline: Shared Groovy Libraries Plugin, Promoted Builds Plugin, Publish Over FTP Plugin, Subversion Plugin. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen, Sicherheitsma\u00dfnahmen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren und Dateien zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion."
        }
      ],
      "product_status": {
        "known_affected": [
          "67646",
          "T015880"
        ]
      },
      "release_date": "2022-04-12T22:00:00.000+00:00",
      "title": "CVE-2017-2601"
    },
    {
      "cve": "CVE-2022-29036",
      "notes": [
        {
          "category": "description",
          "text": "Es existieren mehrere Schwachstellen in Jenkins. Die Fehler befinden sich in den folgenden Plugins: Credentials Plugin, CVS Plugin, Extended Choice Parameter Plugin, Gerrit Trigger Plugin, Git Parameter Plugin, Google Compute Engine Plugin, Jira Plugin, Job Generator Plugin, Mask Passwords Plugin, Node and Label parameter Plugin, Pipeline: Shared Groovy Libraries Plugin, Promoted Builds Plugin, Publish Over FTP Plugin, Subversion Plugin. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen, Sicherheitsma\u00dfnahmen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren und Dateien zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion."
        }
      ],
      "product_status": {
        "known_affected": [
          "67646",
          "T015880"
        ]
      },
      "release_date": "2022-04-12T22:00:00.000+00:00",
      "title": "CVE-2022-29036"
    },
    {
      "cve": "CVE-2022-29037",
      "notes": [
        {
          "category": "description",
          "text": "Es existieren mehrere Schwachstellen in Jenkins. Die Fehler befinden sich in den folgenden Plugins: Credentials Plugin, CVS Plugin, Extended Choice Parameter Plugin, Gerrit Trigger Plugin, Git Parameter Plugin, Google Compute Engine Plugin, Jira Plugin, Job Generator Plugin, Mask Passwords Plugin, Node and Label parameter Plugin, Pipeline: Shared Groovy Libraries Plugin, Promoted Builds Plugin, Publish Over FTP Plugin, Subversion Plugin. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen, Sicherheitsma\u00dfnahmen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren und Dateien zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion."
        }
      ],
      "product_status": {
        "known_affected": [
          "67646",
          "T015880"
        ]
      },
      "release_date": "2022-04-12T22:00:00.000+00:00",
      "title": "CVE-2022-29037"
    },
    {
      "cve": "CVE-2022-29038",
      "notes": [
        {
          "category": "description",
          "text": "Es existieren mehrere Schwachstellen in Jenkins. Die Fehler befinden sich in den folgenden Plugins: Credentials Plugin, CVS Plugin, Extended Choice Parameter Plugin, Gerrit Trigger Plugin, Git Parameter Plugin, Google Compute Engine Plugin, Jira Plugin, Job Generator Plugin, Mask Passwords Plugin, Node and Label parameter Plugin, Pipeline: Shared Groovy Libraries Plugin, Promoted Builds Plugin, Publish Over FTP Plugin, Subversion Plugin. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen, Sicherheitsma\u00dfnahmen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren und Dateien zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion."
        }
      ],
      "product_status": {
        "known_affected": [
          "67646",
          "T015880"
        ]
      },
      "release_date": "2022-04-12T22:00:00.000+00:00",
      "title": "CVE-2022-29038"
    },
    {
      "cve": "CVE-2022-29039",
      "notes": [
        {
          "category": "description",
          "text": "Es existieren mehrere Schwachstellen in Jenkins. Die Fehler befinden sich in den folgenden Plugins: Credentials Plugin, CVS Plugin, Extended Choice Parameter Plugin, Gerrit Trigger Plugin, Git Parameter Plugin, Google Compute Engine Plugin, Jira Plugin, Job Generator Plugin, Mask Passwords Plugin, Node and Label parameter Plugin, Pipeline: Shared Groovy Libraries Plugin, Promoted Builds Plugin, Publish Over FTP Plugin, Subversion Plugin. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen, Sicherheitsma\u00dfnahmen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren und Dateien zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion."
        }
      ],
      "product_status": {
        "known_affected": [
          "67646",
          "T015880"
        ]
      },
      "release_date": "2022-04-12T22:00:00.000+00:00",
      "title": "CVE-2022-29039"
    },
    {
      "cve": "CVE-2022-29040",
      "notes": [
        {
          "category": "description",
          "text": "Es existieren mehrere Schwachstellen in Jenkins. Die Fehler befinden sich in den folgenden Plugins: Credentials Plugin, CVS Plugin, Extended Choice Parameter Plugin, Gerrit Trigger Plugin, Git Parameter Plugin, Google Compute Engine Plugin, Jira Plugin, Job Generator Plugin, Mask Passwords Plugin, Node and Label parameter Plugin, Pipeline: Shared Groovy Libraries Plugin, Promoted Builds Plugin, Publish Over FTP Plugin, Subversion Plugin. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen, Sicherheitsma\u00dfnahmen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren und Dateien zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion."
        }
      ],
      "product_status": {
        "known_affected": [
          "67646",
          "T015880"
        ]
      },
      "release_date": "2022-04-12T22:00:00.000+00:00",
      "title": "CVE-2022-29040"
    },
    {
      "cve": "CVE-2022-29041",
      "notes": [
        {
          "category": "description",
          "text": "Es existieren mehrere Schwachstellen in Jenkins. Die Fehler befinden sich in den folgenden Plugins: Credentials Plugin, CVS Plugin, Extended Choice Parameter Plugin, Gerrit Trigger Plugin, Git Parameter Plugin, Google Compute Engine Plugin, Jira Plugin, Job Generator Plugin, Mask Passwords Plugin, Node and Label parameter Plugin, Pipeline: Shared Groovy Libraries Plugin, Promoted Builds Plugin, Publish Over FTP Plugin, Subversion Plugin. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen, Sicherheitsma\u00dfnahmen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren und Dateien zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion."
        }
      ],
      "product_status": {
        "known_affected": [
          "67646",
          "T015880"
        ]
      },
      "release_date": "2022-04-12T22:00:00.000+00:00",
      "title": "CVE-2022-29041"
    },
    {
      "cve": "CVE-2022-29042",
      "notes": [
        {
          "category": "description",
          "text": "Es existieren mehrere Schwachstellen in Jenkins. Die Fehler befinden sich in den folgenden Plugins: Credentials Plugin, CVS Plugin, Extended Choice Parameter Plugin, Gerrit Trigger Plugin, Git Parameter Plugin, Google Compute Engine Plugin, Jira Plugin, Job Generator Plugin, Mask Passwords Plugin, Node and Label parameter Plugin, Pipeline: Shared Groovy Libraries Plugin, Promoted Builds Plugin, Publish Over FTP Plugin, Subversion Plugin. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen, Sicherheitsma\u00dfnahmen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren und Dateien zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion."
        }
      ],
      "product_status": {
        "known_affected": [
          "67646",
          "T015880"
        ]
      },
      "release_date": "2022-04-12T22:00:00.000+00:00",
      "title": "CVE-2022-29042"
    },
    {
      "cve": "CVE-2022-29043",
      "notes": [
        {
          "category": "description",
          "text": "Es existieren mehrere Schwachstellen in Jenkins. Die Fehler befinden sich in den folgenden Plugins: Credentials Plugin, CVS Plugin, Extended Choice Parameter Plugin, Gerrit Trigger Plugin, Git Parameter Plugin, Google Compute Engine Plugin, Jira Plugin, Job Generator Plugin, Mask Passwords Plugin, Node and Label parameter Plugin, Pipeline: Shared Groovy Libraries Plugin, Promoted Builds Plugin, Publish Over FTP Plugin, Subversion Plugin. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen, Sicherheitsma\u00dfnahmen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren und Dateien zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion."
        }
      ],
      "product_status": {
        "known_affected": [
          "67646",
          "T015880"
        ]
      },
      "release_date": "2022-04-12T22:00:00.000+00:00",
      "title": "CVE-2022-29043"
    },
    {
      "cve": "CVE-2022-29044",
      "notes": [
        {
          "category": "description",
          "text": "Es existieren mehrere Schwachstellen in Jenkins. Die Fehler befinden sich in den folgenden Plugins: Credentials Plugin, CVS Plugin, Extended Choice Parameter Plugin, Gerrit Trigger Plugin, Git Parameter Plugin, Google Compute Engine Plugin, Jira Plugin, Job Generator Plugin, Mask Passwords Plugin, Node and Label parameter Plugin, Pipeline: Shared Groovy Libraries Plugin, Promoted Builds Plugin, Publish Over FTP Plugin, Subversion Plugin. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen, Sicherheitsma\u00dfnahmen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren und Dateien zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion."
        }
      ],
      "product_status": {
        "known_affected": [
          "67646",
          "T015880"
        ]
      },
      "release_date": "2022-04-12T22:00:00.000+00:00",
      "title": "CVE-2022-29044"
    },
    {
      "cve": "CVE-2022-29045",
      "notes": [
        {
          "category": "description",
          "text": "Es existieren mehrere Schwachstellen in Jenkins. Die Fehler befinden sich in den folgenden Plugins: Credentials Plugin, CVS Plugin, Extended Choice Parameter Plugin, Gerrit Trigger Plugin, Git Parameter Plugin, Google Compute Engine Plugin, Jira Plugin, Job Generator Plugin, Mask Passwords Plugin, Node and Label parameter Plugin, Pipeline: Shared Groovy Libraries Plugin, Promoted Builds Plugin, Publish Over FTP Plugin, Subversion Plugin. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen, Sicherheitsma\u00dfnahmen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren und Dateien zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion."
        }
      ],
      "product_status": {
        "known_affected": [
          "67646",
          "T015880"
        ]
      },
      "release_date": "2022-04-12T22:00:00.000+00:00",
      "title": "CVE-2022-29045"
    },
    {
      "cve": "CVE-2022-29046",
      "notes": [
        {
          "category": "description",
          "text": "Es existieren mehrere Schwachstellen in Jenkins. Die Fehler befinden sich in den folgenden Plugins: Credentials Plugin, CVS Plugin, Extended Choice Parameter Plugin, Gerrit Trigger Plugin, Git Parameter Plugin, Google Compute Engine Plugin, Jira Plugin, Job Generator Plugin, Mask Passwords Plugin, Node and Label parameter Plugin, Pipeline: Shared Groovy Libraries Plugin, Promoted Builds Plugin, Publish Over FTP Plugin, Subversion Plugin. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen, Sicherheitsma\u00dfnahmen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren und Dateien zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion."
        }
      ],
      "product_status": {
        "known_affected": [
          "67646",
          "T015880"
        ]
      },
      "release_date": "2022-04-12T22:00:00.000+00:00",
      "title": "CVE-2022-29046"
    },
    {
      "cve": "CVE-2022-29047",
      "notes": [
        {
          "category": "description",
          "text": "Es existieren mehrere Schwachstellen in Jenkins. Die Fehler befinden sich in den folgenden Plugins: Credentials Plugin, CVS Plugin, Extended Choice Parameter Plugin, Gerrit Trigger Plugin, Git Parameter Plugin, Google Compute Engine Plugin, Jira Plugin, Job Generator Plugin, Mask Passwords Plugin, Node and Label parameter Plugin, Pipeline: Shared Groovy Libraries Plugin, Promoted Builds Plugin, Publish Over FTP Plugin, Subversion Plugin. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen, Sicherheitsma\u00dfnahmen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren und Dateien zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion."
        }
      ],
      "product_status": {
        "known_affected": [
          "67646",
          "T015880"
        ]
      },
      "release_date": "2022-04-12T22:00:00.000+00:00",
      "title": "CVE-2022-29047"
    },
    {
      "cve": "CVE-2022-29048",
      "notes": [
        {
          "category": "description",
          "text": "Es existieren mehrere Schwachstellen in Jenkins. Die Fehler befinden sich in den folgenden Plugins: Credentials Plugin, CVS Plugin, Extended Choice Parameter Plugin, Gerrit Trigger Plugin, Git Parameter Plugin, Google Compute Engine Plugin, Jira Plugin, Job Generator Plugin, Mask Passwords Plugin, Node and Label parameter Plugin, Pipeline: Shared Groovy Libraries Plugin, Promoted Builds Plugin, Publish Over FTP Plugin, Subversion Plugin. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen, Sicherheitsma\u00dfnahmen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren und Dateien zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion."
        }
      ],
      "product_status": {
        "known_affected": [
          "67646",
          "T015880"
        ]
      },
      "release_date": "2022-04-12T22:00:00.000+00:00",
      "title": "CVE-2022-29048"
    },
    {
      "cve": "CVE-2022-29049",
      "notes": [
        {
          "category": "description",
          "text": "Es existieren mehrere Schwachstellen in Jenkins. Die Fehler befinden sich in den folgenden Plugins: Credentials Plugin, CVS Plugin, Extended Choice Parameter Plugin, Gerrit Trigger Plugin, Git Parameter Plugin, Google Compute Engine Plugin, Jira Plugin, Job Generator Plugin, Mask Passwords Plugin, Node and Label parameter Plugin, Pipeline: Shared Groovy Libraries Plugin, Promoted Builds Plugin, Publish Over FTP Plugin, Subversion Plugin. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen, Sicherheitsma\u00dfnahmen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren und Dateien zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion."
        }
      ],
      "product_status": {
        "known_affected": [
          "67646",
          "T015880"
        ]
      },
      "release_date": "2022-04-12T22:00:00.000+00:00",
      "title": "CVE-2022-29049"
    },
    {
      "cve": "CVE-2022-29050",
      "notes": [
        {
          "category": "description",
          "text": "Es existieren mehrere Schwachstellen in Jenkins. Die Fehler befinden sich in den folgenden Plugins: Credentials Plugin, CVS Plugin, Extended Choice Parameter Plugin, Gerrit Trigger Plugin, Git Parameter Plugin, Google Compute Engine Plugin, Jira Plugin, Job Generator Plugin, Mask Passwords Plugin, Node and Label parameter Plugin, Pipeline: Shared Groovy Libraries Plugin, Promoted Builds Plugin, Publish Over FTP Plugin, Subversion Plugin. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen, Sicherheitsma\u00dfnahmen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren und Dateien zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion."
        }
      ],
      "product_status": {
        "known_affected": [
          "67646",
          "T015880"
        ]
      },
      "release_date": "2022-04-12T22:00:00.000+00:00",
      "title": "CVE-2022-29050"
    },
    {
      "cve": "CVE-2022-29051",
      "notes": [
        {
          "category": "description",
          "text": "Es existieren mehrere Schwachstellen in Jenkins. Die Fehler befinden sich in den folgenden Plugins: Credentials Plugin, CVS Plugin, Extended Choice Parameter Plugin, Gerrit Trigger Plugin, Git Parameter Plugin, Google Compute Engine Plugin, Jira Plugin, Job Generator Plugin, Mask Passwords Plugin, Node and Label parameter Plugin, Pipeline: Shared Groovy Libraries Plugin, Promoted Builds Plugin, Publish Over FTP Plugin, Subversion Plugin. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen, Sicherheitsma\u00dfnahmen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren und Dateien zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion."
        }
      ],
      "product_status": {
        "known_affected": [
          "67646",
          "T015880"
        ]
      },
      "release_date": "2022-04-12T22:00:00.000+00:00",
      "title": "CVE-2022-29051"
    },
    {
      "cve": "CVE-2022-29052",
      "notes": [
        {
          "category": "description",
          "text": "Es existieren mehrere Schwachstellen in Jenkins. Die Fehler befinden sich in den folgenden Plugins: Credentials Plugin, CVS Plugin, Extended Choice Parameter Plugin, Gerrit Trigger Plugin, Git Parameter Plugin, Google Compute Engine Plugin, Jira Plugin, Job Generator Plugin, Mask Passwords Plugin, Node and Label parameter Plugin, Pipeline: Shared Groovy Libraries Plugin, Promoted Builds Plugin, Publish Over FTP Plugin, Subversion Plugin. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen, Sicherheitsma\u00dfnahmen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren und Dateien zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion."
        }
      ],
      "product_status": {
        "known_affected": [
          "67646",
          "T015880"
        ]
      },
      "release_date": "2022-04-12T22:00:00.000+00:00",
      "title": "CVE-2022-29052"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-29052 (GCVE-0-2022-29052)

FKIE_CVE-2022-29052

GSD-2022-29052

CNVD-2022-79940

GHSA-VHXQ-9MPV-GJ87

WID-SEC-W-2022-0265

Tags

Sightings

Nomenclature