CVE-2022-34802

Vulnerability

Jenkins RocketChat Notifier Plugin versions 1.5.2 and earlier store the login password and webhook token in plaintext (unencrypted) in the plugin's global configuration file on the Jenkins controller [1][2]. This configuration file is accessible to any user who has read access to the controller's file system, regardless of their Jenkins permissions [2].

Exploitation

An attacker with access to the Jenkins controller file system (e.g., through a compromised Jenkins agent, an authenticated user with file read permissions, or via another vulnerability that enables file system access) can read the global configuration file for the plugin and extract the stored login password and webhook token [1][2]. No additional authentication or user interaction is required beyond the initial file system access [2].

Impact

Successful exploitation results in the disclosure of sensitive credentials—the login password and webhook token used by the plugin to authenticate with RocketChat [1][2]. An attacker could use these credentials to impersonate the Jenkins controller in communications with RocketChat, potentially sending malicious notifications, altering configuration, or gaining further access to the RocketChat instance [1][2].

Mitigation

Jenkins released updated versions of the RocketChat Notifier Plugin that encrypt the stored credentials; users should upgrade to a fixed version (e.g., later than 1.5.2) as described in the official Jenkins security advisory [1]. As a workaround, administrators can restrict file system access to the Jenkins controller to only trusted users and review file permissions on the configuration file [1]. The vulnerability is listed in the NVD with a CVSS v3.1 score of 5.5 (medium) for confidentiality impact [2].