2065740 – (CVE-2022-27195) CVE-2022-27195 jenkins-2-plugins/parameterized-trigger: Information disclosure

Bug 2065740 (CVE-2022-27195) - CVE-2022-27195 jenkins-2-plugins/parameterized-trigger: Information disclosure

Summary: CVE-2022-27195 jenkins-2-plugins/parameterized-trigger: Information disclosure

Keywords:
Status:	NEW
Alias:	CVE-2022-27195
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2076430
Blocks:	2065742
TreeView+	depends on / blocked

Reported:	2022-03-18 15:40 UTC by Patrick Del Bello
Modified:	2024-05-02 18:49 UTC (History)
CC List:	9 users (show)
Fixed In Version:	Parameterized Trigger Plugin 2.43.1
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Patrick Del Bello 2022-03-18 15:40:55 UTC

Jenkins Parameterized Trigger Plugin 2.43 and earlier captures environment variables passed to builds triggered using Jenkins Parameterized Trigger Plugin, including password parameter values, in their `build.xml` files. These values are stored unencrypted and can be viewed by users with access to the Jenkins controller file system.

https://www.jenkins.io/security/advisory/2022-03-15/#SECURITY-2185
http://www.openwall.com/lists/oss-security/2022/03/15/2

Note You need to log in before you can comment on or make changes to this bug.