Miggo Logo
Miggo Vulnerability Database
CVE-2022-28141

CVE-2022-28141: Password stored in plain text by Jenkins Proxmox Plugin

6.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-28141
GHSA ID
GHSA-w97x-j6rg-55v5
EPSS Score
0.66876%
CWE
CWE-522
Published
3/30/2022
Updated
10/27/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:proxmoxmaven< 0.6.00.6.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unencrypted password storage in config.xml. Jenkins plugins typically serialize configuration data via XStream or similar mechanisms. The ProxmoxComputer class likely manages credential storage, while ProxmoxConfiguration handles global settings. These functions would directly write the password field to disk without encryption. The patch in v0.6.0 introduced encryption, implying the original functions lacked cryptographic handling. The high confidence stems from the direct mapping between the vulnerability description and typical Jenkins plugin architecture patterns.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins Proxmox Plu*in *.*.* *n* **rli*r stor*s t** Proxmox **t***nt*r p*sswor* un*n*rypt** in t** *lo**l *on*i*.xml *il* on t** J*nkins *ontroll*r w**r* it **n ** vi*w** *y us*rs wit* ****ss to t** J*nkins *ontroll*r *il* syst*m.

Reasoning

T** vuln*r**ility st*ms *rom un*n*rypt** p*sswor* stor*** in `*on*i*.xml`. J*nkins plu*ins typi**lly s*ri*liz* *on*i*ur*tion **t* vi* XStr**m or simil*r m****nisms. T** `Proxmox*omput*r` *l*ss lik*ly m*n***s *r***nti*l stor***, w*il* `Proxmox*on*i*ur