CVE-2022-34809

Vulnerability

Description

Jenkins RQM Plugin 2.8 and earlier stores a password unencrypted in its global configuration file on the Jenkins controller [1][2]. This plaintext storage occurs because the plugin does not use Jenkins' built-in credential encryption mechanisms when saving the password to disk. The password is written to the configuration file without any obfuscation or encryption, making it directly readable.

Exploitation

To exploit this vulnerability, an attacker must have access to the Jenkins controller's file system. This could be achieved through a compromised Jenkins agent, a separate vulnerability that grants file read access, or direct access to the controller's operating system. No additional authentication or network position is required beyond the ability to read the configuration file. The password is stored in the global configuration, meaning it is not tied to a specific job or user.

Impact

An attacker with file system access can retrieve the plaintext password, which is likely used to authenticate to an external service such as IBM Rational Quality Manager (RQM) [3]. With this password, the attacker could potentially access or manipulate data in the connected RQM instance, depending on the privileges associated with the stored credential. This could lead to unauthorized access to test management data or other sensitive information.

Mitigation

The Jenkins Security Advisory for June 30, 2022, includes this vulnerability and recommends upgrading the RQM Plugin to a version that encrypts the stored password [1]. As of the advisory date, no workaround is provided. Users should update the plugin to the latest available version to remediate the issue.