Lucene search

[email protected]NVD:CVE-2022-29052

HistoryApr 12, 2022 - 8:15 p.m.

CVE-2022-29052

2022-04-1220:15:09

CWE-522

[email protected]

web.nvd.nist.gov

jenkins

private keys

unencrypted

cloud agent

config.xml

extended read permission

jenkins controller

file system

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

22.0%

JSON

Jenkins Google Compute Engine Plugin 4.3.8 and earlier stores private keys unencrypted in cloud agent config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

Affected configurations

Nvd

Node

jenkinsgoogle_compute_engineRange≤4.3.8jenkins

VendorProductVersionCPE
jenkinsgoogle_compute_engine*cpe:2.3:a:jenkins:google_compute_engine:*:*:*:*:*:jenkins:*:*

Vendor	Product	Version	CPE
jenkins	google_compute_engine	*	cpe:2.3:a:jenkins:google_compute_engine::::::jenkins::*

References

www.jenkins.io/security/advisory/2022-04-12/#SECURITY-2045

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

22.0%

JSON

Related for NVD:CVE-2022-29052

prion1 alpinelinux1 cve1 osv2 cnvd1 cvelist1 github1 nessus2