Jenkins plugins Multiple Vulnerabilities (2022-08-23)

medium Nessus Plugin ID 164452


An application running on a remote web server host is affected by multiple vulnerabilities


According to their self-reported version numbers, the version of Jenkins plugins running on the remote web server are affected by multiple vulnerabilities:

- Jenkins Git Plugin 4.11.4 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log provided by the Git Username and Password (`gitUsernamePassword`) credentials binding.

- Jenkins Job Configuration History Plugin 1165.v8cc9fd1f4597 and earlier does not escape the job name on the System Configuration History page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure job names. (CVE-2022-38664)

- Jenkins CollabNet Plugins Plugin 2.0.8 and earlier stores a RabbitMQ password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. (CVE-2022-38665)

- Loading specially-crafted yaml with the Kubernetes Java Client library can lead to code execution.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.


Update Jenkins plugins to the following versions:
- CollabNet Plugins Plugin to version 2.0.9 or later
- Git Plugin to version 4.11.5 or later
- Job Configuration History Plugin to version 1166.vc9f255f45b_8a or later
- Kubernetes Continuous Deploy Plugin: See vendor advisory

See vendor advisory for more details.

See Also

Plugin Details

Severity: Medium

ID: 164452

File Name: jenkins_security_advisory_2022-08-23_plugins.nasl

Version: 1.3

Type: combined

Agent: windows, macosx, unix

Family: CGI abuses

Published: 8/26/2022

Updated: 7/28/2023

Supported Sensors: Nessus Agent

Risk Information


Risk Factor: Medium

Score: 5.9


Risk Factor: Medium

Base Score: 4.6

Temporal Score: 3.4

Vector: CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2021-25738


Risk Factor: Medium

Base Score: 6.7

Temporal Score: 5.8

Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:cloudbees:jenkins, cpe:/a:jenkins:jenkins

Required KB Items: installed_sw/Jenkins

Exploit Ease: No known exploits are available

Patch Publication Date: 8/23/2022

Vulnerability Publication Date: 10/11/2021

Reference Information

CVE: CVE-2021-25738, CVE-2022-38663, CVE-2022-38664, CVE-2022-38665