Metrics Plugin up to 4.0.2.8 on Jenkins Configuration File credentials storage

A vulnerability was found in Metrics Plugin up to 4.0.2.8 on Jenkins (Jenkins Plugin). It has been rated as problematic. This issue affects some unknown functionality of the component Configuration File Handler. There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Field01/13/2022 07:26 AM01/15/2022 02:37 PM
nameMetrics PluginMetrics Plugin
version<=4.0.2.8<=4.0.2.8
platformJenkinsJenkins
componentConfiguration File HandlerConfiguration File Handler
cwe256 (privilege escalation)256 (privilege escalation)
risk11
cvss3_vuldb_acLL
cvss3_vuldb_prHH
cvss3_vuldb_uiNN
cvss3_vuldb_sUU
cvss3_vuldb_cLL
cvss3_vuldb_iNN
cvss3_vuldb_aNN
cvss3_vuldb_rcCC
urlhttps://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-1624https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-1624
cveCVE-2022-20621CVE-2022-20621
cve_assigned16353720001635372000
date1642028400 (01/13/2022)1642028400 (01/13/2022)
typeJenkins PluginJenkins Plugin
cvss2_vuldb_acLL
cvss2_vuldb_auMM
cvss2_vuldb_ciPP
cvss2_vuldb_iiNN
cvss2_vuldb_aiNN
cvss2_vuldb_rcCC
cvss2_vuldb_avAA
cvss2_vuldb_eNDND
cvss2_vuldb_rlNDND
cvss3_vuldb_avAA
cvss3_vuldb_eXX
cvss3_vuldb_rlXX
cvss2_vuldb_basescore2.22.2
cvss2_vuldb_tempscore2.22.2
cvss3_vuldb_basescore2.42.4
cvss3_vuldb_tempscore2.42.4
cvss3_meta_basescore2.42.4
cvss3_meta_tempscore2.42.4
price_0day$0-$5k$0-$5k
confirm_urlhttps://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-1624
cve_nvd_summaryJenkins Metrics Plugin 4.0.2.8 and earlier stores an access key unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

Do you want to use VulDB in your project?

Use the official API to access entries easily!