CVE-2022-28141
Description
Jenkins Proxmox Plugin 0.5.0 and earlier stores the Proxmox Datacenter password in plaintext in config.xml, exposing it to users with file system access.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Proxmox Plugin 0.5.0 and earlier stores the Proxmox Datacenter password in plaintext in config.xml, exposing it to users with file system access.
Vulnerability
Jenkins Proxmox Plugin 0.5.0 and earlier stores the Proxmox Datacenter password unencrypted in the global config.xml file on the Jenkins controller. This affects all versions up to and including 0.5.0. [1][3]
Exploitation
An attacker with read access to the Jenkins controller's file system (e.g., a user with Overall/Read permission or via another vulnerability) can read the config.xml file and extract the plaintext Proxmox Datacenter password. No additional authentication or user interaction is required beyond file system access. [1][3]
Impact
Successful exploitation reveals the Proxmox Datacenter password, allowing the attacker to authenticate to the Proxmox virtualization environment. This could lead to compromise of virtual machines managed by the plugin and potential lateral movement within the infrastructure. [1][3]
Mitigation
Jenkins Proxmox Plugin 0.6.0, 0.7.0, and 0.7.1, released on 2022-03-29, fix this issue by encrypting the stored password. [2] Users should upgrade to one of these versions. No workaround is documented; if upgrading is not immediately possible, restrict file system access to the Jenkins controller to trusted users only.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:proxmoxMaven | < 0.6.0 | 0.6.0 |
Affected products
2- Jenkins project/Jenkins Proxmox Pluginv5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-w97x-j6rg-55v5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-28141ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/03/29/1ghsamailing-listx_refsource_MLISTWEB
- www.jenkins.io/security/advisory/2022-03-29/ghsax_refsource_CONFIRMWEB
News mentions
1- Jenkins Security Advisory 2022-03-29Jenkins Security Advisories · Mar 29, 2022