3.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-36901

GHSA ID

GHSA-2qh6-hhvv-m2ww

EPSS Score

0.59269%

CWE

CWE-256

Published

7/28/2022

Updated

1/4/2024

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-36901

CVE-2022-36901: Jenkins HTTP Request Plugin stores HTTP Request passwords unencrypted

HTTP Request Plugin 1.15 and earlier stores HTTP Request passwords unencrypted in its global configuration file jenkins.plugins.http_request.HttpRequest.xml on the Jenkins controller as part of its configuration when using (deprecated) Basic/Digest Authentication. These passwords can be viewed by users with access to the Jenkins controller file system.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2022-36901

CVE-2022-36901:

3.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-36901

GHSA ID

GHSA-2qh6-hhvv-m2ww

EPSS Score

0.59269%

CWE

CWE-256

Published

7/28/2022

Updated

1/4/2024

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:http_request	maven	< 1.16	1.16

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from handling Basic/Digest authentication credentials. The commit diff shows these functions managed a list of BasicDigestAuthentication objects containing plaintext passwords. The patch deprecates these functions, marks the storage field as transient, and removes related UI elements. The presence of these functions enabled unencrypted credential storage in jenkins.plugins.http_request.HttpRequest.xml, which was accessible to filesystem users. Their removal in the security fix directly addresses the plaintext storage issue.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

3.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-36901: Jenkins HTTP Request Plugin stores HTTP Request passwords unencrypted

CVE-2022-36901:

3.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

3.3

3.3

Technical Details

Basic Information

Basic Information

CVE-2022-36901: Jenkins HTTP Request Plugin stores HTTP Request passwords unencrypted

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI