3.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-34809

GHSA ID

GHSA-m59q-vgq9-75cr

EPSS Score

0.67155%

CWE

CWE-256

Published

7/1/2022

Updated

11/22/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-34809

CVE-2022-34809: Password stored in plain text by Jenkins RQM Plugin

RQM Plugin 2.8 and earlier stores a password unencrypted in its global configuration file net.praqma.jenkins.rqm.RqmBuilder.xml on the Jenkins controller as part of its configuration.

This password can be viewed by users with access to the Jenkins controller file system.

(GitHub Advisory)

3.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-34809

GHSA ID

GHSA-m59q-vgq9-75cr

EPSS Score

0.67155%

CWE

CWE-256

Published

7/1/2022

Updated

11/22/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
net.praqma:rqm-plugin	maven	<= 2.8

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper credential storage in the global configuration XML file. Jenkins plugin architecture requires Builder classes and their DescriptorImpl to handle configuration persistence. The functions responsible for serializing configuration data to disk (configure methods) would be the ones writing the plaintext password. While exact code isn't available, the file path pattern and Jenkins plugin conventions strongly indicate these are the entry points for configuration storage. The high confidence comes from: 1) The specific file path mentioned in advisories matches standard Maven/Java package structure 2) Jenkins plugin design patterns for configuration handling 3) Explicit mention of plaintext storage in XML configuration files, which requires serialization methods to be involved.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

RQM Plu*in *.* *n* **rli*r stor*s * p*sswor* un*n*rypt** in its *lo**l *on*i*ur*tion *il* `n*t.pr*qm*.j*nkins.rqm.Rqm*uil**r.xml` on t** J*nkins *ontroll*r *s p*rt o* its *on*i*ur*tion. T*is p*sswor* **n ** vi*w** *y us*rs wit* ****ss to t** J*nkins

Reasoning

T** vuln*r**ility st*ms *rom improp*r *r***nti*l stor*** in t** *lo**l *on*i*ur*tion XML *il*. J*nkins plu*in *r**it**tur* r*quir*s *uil**r *l*ss*s *n* t**ir **s*riptorImpl to **n*l* *on*i*ur*tion p*rsist*n**. T** *un*tions r*sponsi*l* *or s*ri*lizin

3.3

Basic Information

Concerned about an active attack path?

CVE-2022-34809: Password stored in plain text by Jenkins RQM Plugin

3.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI