CVE-2022-25210

Vulnerability

Jenkins Convertigo Mobile Platform Plugin 1.1 and earlier uses static fields to store job configuration information, including passwords [1][2]. This design flaw means that configuration data is shared across job configurations, making it possible for an attacker to access passwords of jobs that will be configured. The affected versions are 1.1 and all earlier releases of the plugin [1][2].

Exploitation

An attacker needs to have the Item/Configure permission on a Jenkins job [1][2]. With this permission, the attacker can leverage the static field storage to view or capture passwords used in job configurations, as the static fields are accessible across job boundaries [1][2]. No other special privileges or user interaction are required beyond the Item/Configure permission.

Impact

Successful exploitation allows an attacker to obtain passwords that are configured for jobs in the Jenkins instance [1][2]. This leads to unauthorized disclosure of credentials (confidentiality impact), which could then be reused to access other systems or services, potentially escalating privileges beyond the Jenkins environment.

Mitigation

As of the publication date (2022-02-15), no fixed version of the Convertigo Mobile Platform Plugin is available; users are advised to remove the plugin if not needed or restrict Item/Configure permissions to trusted users who will not misuse the static field storage [1]. The plugin is not listed on the Known Exploited Vulnerabilities (KEV) catalog.