CVE-2022-20621 — Access key stored in plain text by Jenkins Metrics Plugin

Description

Jenkins Metrics Plugin 4.0.2.8 and earlier stores an access key unencrypted in its global configuration file `jenkins.metrics.api.MetricsAccessKey.xml` on the Jenkins controller as part of its configuration. This access key can be viewed by users with access to the Jenkins controller file system. Jenkins Metrics Plugin 4.0.2.8.1 stores access key encrypted once its configuration is saved again. Additionally, the token value is only displayed once when it is generated.

How to fix CVE-2022-20621

To remediate CVE-2022-20621, upgrade the affected package to a fixed version below.

—upgrade to 4.0.2.8.1 or later

Is CVE-2022-20621 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 4.0.2.8, < 4.0.2.8.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.5	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-20621
PATCHgithub.com/jenkinsci/metrics-plugin
WEBgithub.com/jenkinsci/metrics-plugin/commit/9810480370d4c5e04a2b710934db5461bde0d1b6
WEBwww.jenkins.io/security/advisory/2022-01-12/#SECURITY-1624