CVE-2022-45392

Vulnerability

Description

CVE-2022-45392 in the Jenkins NS-ND Integration Performance Publisher Plugin versions 4.8.0.143 and earlier stores user-supplied passwords unencrypted in job config.xml files on the Jenkins controller [1][3]. The plugin writes credentials passed via its build-step configuration (such as the NetStorm server password) directly into the XML job definition without hashing or encryption [4].

Exploitation and

Attack Surface

An attacker who has either the Extended Read permission on a job or direct access to the Jenkins controller’s file system can retrieve these stored passwords [3]. The attack does not require administrative privileges; any user with the standard Extended Read permission (often granted to auditors or read-only users) can view job configurations. If the attacker also has filesystem access (e.g., via another vulnerability or shared hosting), the config.xml files are trivially readable [2].

Impact

A successful attack exposes cleartext credentials for the NetStorm or NetCloud remote server configured in the plugin’s build step. These credentials may allow an attacker to access, modify, or intercept test suite execution and reports on the remote performance-testing infrastructure, potentially leading to further compromise or data exfiltration [4].

Mitigation

The Jenkins Security Advisory 2022-11-15 indicates that the plugin has been updated to version 4.8.0.146, which likely fixes the issue [2]. Users should upgrade to that version or later. There is no mention of workarounds; blocking Extended Read permission or isolating the Jenkins controller’s file system may reduce exposure but are not complete fixes.