Miggo Logo

CVE-2022-27216: Passwords stored in plain text by Jenkins dbCharts Plugin

6.5

CVSS Score
3.1

Basic Information

EPSS Score
0.6962%
Published
3/16/2022
Updated
10/27/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:dbChartsmaven<= 0.5.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unencrypted password storage in the DbChartPublisher.xml configuration file. In Jenkins plugin architecture:

  1. The DbChartPublisher class would handle JDBC connection configuration
  2. The 'configure' method(s) would process form submissions and persist settings
  3. The descriptor class (DescriptorImpl) typically manages global configuration
  4. The absence of encryption in storage implies missing credential masking or secure storage mechanisms in these configuration handling methods
  5. The specific file path mentioned in advisories matches Jenkins' standard configuration storage pattern for plugin global configs

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins *****rts Plu*in *.*.* *n* **rli*r stor*s J*** *onn**tion p*sswor*s un*n*rypt** in its *lo**l *on*i*ur*tion *il* `*u*son.plu*ins.*****rts.*****rtPu*lis**r.xml` on t** J*nkins *ontroll*r *s p*rt o* its *on*i*ur*tion. T**s* p*sswor*s **n ** vi*

Reasoning

T** vuln*r**ility st*ms *rom un*n*rypt** p*sswor* stor*** in t** *****rtPu*lis**r.xml *on*i*ur*tion *il*. In J*nkins plu*in *r**it**tur*: *. T** *****rtPu*lis**r *l*ss woul* **n*l* J*** *onn**tion *on*i*ur*tion *. T** '*on*i*ur*' m*t*o*(s) woul* pro*