CVE-2022-27195: Sensitive parameter values captured in build metadata files by Jenkins Parameterized Trigger Plugin

March 16, 2022 (updated November 30, 2022)

Jenkins Parameterized Trigger Plugin 2.43 and earlier captures environment variables passed to builds triggered using Jenkins Parameterized Trigger Plugin, including password parameter values, in their build.xml files. These values are stored unencrypted and can be viewed by users with access to the Jenkins controller file system.

References

www.openwall.com/lists/oss-security/2022/03/15/2
github.com/advisories/GHSA-5mpf-hw8f-86w9
github.com/jenkinsci/parameterized-trigger-plugin/commit/6b7cd2272cbd9f97416bff7ea19132b9aad0898d
nvd.nist.gov/vuln/detail/CVE-2022-27195
www.jenkins.io/security/advisory/2022-03-15/

Detect and mitigate CVE-2022-27195 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →