CVE-2022-34202

Vulnerability

Jenkins EasyQA Plugin versions 1.0 and earlier store user passwords in plaintext within the global configuration file on the Jenkins controller [1][2]. This occurs because the plugin writes credentials without encryption, violating secure storage practices for sensitive data.

Exploitation

An attacker with access to the Jenkins controller file system can read the configuration file containing the plaintext passwords [1]. No authentication or network-based attack is required; the primary prerequisite is local file system access to the controller.

Impact

A successful exploit allows an attacker to retrieve cleartext passwords stored by the EasyQA Plugin. These credentials could then be reused to access other systems or services where the same passwords are employed, potentially leading to broader compromise.

Mitigation

The vulnerability affects EasyQA Plugin 1.0 and earlier. Users should upgrade to a patched version if available, or remove the plugin if no longer needed [1][3]. As of the advisory, no workaround beyond restricting file system access is documented.