CVE-2022-41255

Vulnerability

Overview CVE-2022-41255 affects the Jenkins CONS3RT Plugin, versions 1.0.0 and earlier. The plugin stores the Cons3rt API token in plaintext within job config.xml files on the Jenkins controller [1][3]. This occurs because the token is not encrypted or masked when saved to disk, violating the principle of secure credential storage.

Exploitation and

Attack Surface An attacker who has access to the Jenkins controller's file system can view the stored API token by reading the job configuration files. This does not require any special plugin permissions beyond being able to access the file system (e.g., via direct file read, backup inspection, or other vulnerabilities that grant file system access) [2]. The attack is local in the sense of requiring file system access, but could be leveraged remotely if an attacker achieves code execution or obtains a backup containing the config files.

Impact

With the exposed API token, an attacker can authenticate to the Cons3rt service as the user associated with that token. This could allow unauthorized creation, modification, or deletion of CONS3RT assets and deployment runs, potentially leading to data breaches or disruption of CI/CD pipelines [4]. The confidentiality of the token is critical; its exposure undermines the security of the CONS3RT integration.

Mitigation

Status The Jenkins security advisory indicates that this issue was not fixed in a plugin update at the time of publication; the CONS3RT Plugin remains in a state where the token is stored unencrypted [1][2]. Users are advised to remove or replace the plugin if possible, or to restrict file system access to the Jenkins controller to only trusted administrators.