Miggo Logo
Miggo Vulnerability Database
CVE-2022-34801

CVE-2022-34801: Cleartext Storage of Sensitive Information in Jenkins Build Notifications Plugin

3.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-34801
GHSA ID
GHSA-7298-w54j-q7wm
EPSS Score
0.6257%
CWE
CWE-318
Published
7/1/2022
Updated
11/22/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
tools.devnull:build-notificationsmaven<= 1.5.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability explicitly involves cleartext storage in XML config files (PushoverNotifier.xml, SlackNotifier.xml, TelegramNotifier.xml) and transmission via configuration forms. In Jenkins plugin architecture, descriptor classes (DescriptorImpl) typically handle global configuration. The configure() method in these descriptors would be responsible for processing form submissions and persisting configurations, making them the logical points where cleartext handling occurs. The advisory's specific mention of three distinct token types with their corresponding XML files strongly indicates these three descriptor implementations as vulnerable entry points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins *uil* Noti*i**tions Plu*in *.*.* *n* **rli*r tr*nsmits tok*ns in pl*in t*xt *s p*rt o* t** *lo**l J*nkins *on*i*ur*tion *orm, pot*nti*lly r*sultin* in t**ir *xposur*.

Reasoning

T** vuln*r**ility *xpli*itly involv*s *l**rt*xt stor*** in XML *on*i* *il*s (Pus*ov*rNoti*i*r.xml, Sl**kNoti*i*r.xml, T*l**r*mNoti*i*r.xml) *n* tr*nsmission vi* *on*i*ur*tion *orms. In J*nkins plu*in *r**it**tur*, **s*riptor *l*ss*s (**s*riptorImpl)