CVE-2022-34199

Vulnerability

The Jenkins Convertigo Mobile Platform Plugin versions 1.1 and earlier stores passwords in plaintext (unencrypted) within job config.xml files on the Jenkins controller [1][2]. This is a classic example of a sensitive data exposure vulnerability, where credentials are persisted without proper encryption or hashing.

Exploitation

An attacker can exploit this vulnerability by leveraging either of two access vectors: (1) having the 'Extended Read' permission on a Jenkins job, which allows viewing the job's configuration including the plaintext password, or (2) obtaining direct access to the Jenkins controller's file system to read the config.xml files directly [1][2]. No additional authentication or network access is required beyond these permissions or file system access.

Impact

Successful exploitation allows an attacker to retrieve plaintext passwords stored by the plugin. These credentials could then be used to gain unauthorized access to Convertigo Mobile Platform instances or other systems where the same credentials are reused [1][2]. The exposure is particularly severe because passwords are often reused across multiple services, amplifying the potential damage.

Mitigation

As of the Jenkins Security Advisory 2022-06-22, the Convertigo Mobile Platform Plugin is affected, and users are advised to upgrade to a version where this issue is fixed, if available, or to apply appropriate workarounds such as limiting Extended Read permissions and restricting file system access to the Jenkins controller [1][2]. The plugin repository on GitHub may contain updated versions [3].