CVE-2022-34213
Description
Jenkins Squash TM Publisher (Squash4Jenkins) Plugin 1.0.0 and earlier stores passwords unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Squash TM Publisher Plugin 1.0.0 and earlier stores passwords unencrypted in its global configuration file, accessible to users with Jenkins controller file system access.
Overview
Jenkins Squash TM Publisher Plugin versions 1.0.0 and earlier stores passwords in plain text in its global configuration file on the Jenkins controller [1]. This violates secure credential storage practices.
Exploitation
An attacker with access to the Jenkins controller file system can read the configuration file to obtain stored passwords [3]. No additional authentication or network access is required.
Impact
Exposed passwords could be used to authenticate to Squash TM servers, potentially allowing unauthorized actions on test results and configurations managed through the plugin.
Mitigation
As of the advisory date, no fixed version was announced. Users should restrict file system access to the Jenkins controller and consider using encrypted credential stores if available. Monitor the plugin's repository for updates [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:squashtm-publisherMaven | <= 1.0.0 | — |
Affected products
3- Range: <=1.0.0
- Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-9h79-5m2f-mqj2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-34213ghsaADVISORY
- www.jenkins.io/security/advisory/2022-06-22/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.