CVE-2022-27195: Insertion of Sensitive Information into Log File

March 15, 2022 (updated October 17, 2022)

Jenkins Parameterized Trigger Plugin 2.43 and earlier captures environment variables passed to builds triggered using Jenkins Parameterized Trigger Plugin, including password parameter values, in their build.xml files. These values are stored unencrypted and can be viewed by users with access to the Jenkins controller file system.

References

www.openwall.com/lists/oss-security/2022/03/15/2
nvd.nist.gov/vuln/detail/CVE-2022-27195
www.jenkins.io/security/advisory/2022-03-15/

Detect and mitigate CVE-2022-27195 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →