GHSA-2qh6-hhvv-m2ww
Suggest an improvement- Source
- https://github.com/advisories/GHSA-2qh6-hhvv-m2ww
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-2qh6-hhvv-m2ww/GHSA-2qh6-hhvv-m2ww.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-2qh6-hhvv-m2ww
- Aliases
- Published
- 2022-07-28T00:00:42Z
- Modified
- 2024-02-16T08:20:07.945678Z
- Severity
-
- 3.3 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- Jenkins HTTP Request Plugin stores HTTP Request passwords unencrypted
- Details
-
HTTP Request Plugin 1.15 and earlier stores HTTP Request passwords unencrypted in its global configuration file
jenkins.plugins.http_request.HttpRequest.xmlon the Jenkins controller as part of its configuration when using (deprecated) Basic/Digest Authentication. These passwords can be viewed by users with access to the Jenkins controller file system. - Database specific
{ "nvd_published_at": "2022-07-27T15:15:00Z", "cwe_ids": [ "CWE-256", "CWE-668" ], "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2022-08-10T18:30:41Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2022-36901
- https://github.com/jenkinsci/http-request-plugin/commit/a2cf3454a8752759b092c23cadc156dfd2943c42
- https://github.com/jenkinsci/http-request-plugin
- https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-2053
- http://www.openwall.com/lists/oss-security/2022/07/27/1
Affected packages
Maven / org.jenkins-ci.plugins:http_request
Package
- Name
- org.jenkins-ci.plugins:http_request
- View open source insights on deps.dev
- Purl
- pkg:maven/org.jenkins-ci.plugins/http_request