Skip to main content

Blue Ocean CVE-2022-30952

MEDIUM
Insufficiently Protected Credentials (CWE-522)
2022-05-17 jenkinsci-cert@googlegroups.com
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
May 17, 2022 - 15:15 nvd
MEDIUM 6.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 7 maven packages depend on io.jenkins.blueocean:blueocean-pipeline-scm-api (2 direct, 5 indirect)

Ecosystem-wide dependent count for version 1.25.4.

DescriptionNVD

Jenkins Pipeline SCM API for Blue Ocean Plugin 1.25.3 and earlier allows attackers with Job/Configure permission to access credentials with attacker-specified IDs stored in the private per-user credentials stores of any attacker-specified user in Jenkins.

AnalysisAI

Jenkins Pipeline SCM API for Blue Ocean Plugin 1.25.3 and earlier allows attackers with Job/Configure permission to access credentials with attacker-specified IDs stored in the private per-user. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Insufficiently Protected Credentials (CWE-522), which allows attackers to obtain user credentials due to weak protection mechanisms. Jenkins Pipeline SCM API for Blue Ocean Plugin 1.25.3 and earlier allows attackers with Job/Configure permission to access credentials with attacker-specified IDs stored in the private per-user credentials stores of any attacker-specified user in Jenkins. Affected products include: Jenkins Blue Ocean.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Hash passwords with strong algorithms (bcrypt, argon2), encrypt credentials in transit and at rest, never log credentials.

CVE-2023-40341 HIGH
8.8 Aug 16

A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.27.5 and earlier allows attackers to co

CVE-2017-1000106 HIGH
8.5 Oct 05

Blue Ocean allows the creation of GitHub organization folders that are set up to scan a GitHub organization for reposito

CVE-2022-30954 MEDIUM
6.5 May 17

Jenkins Blue Ocean Plugin 1.25.3 and earlier does not perform a permission check in several HTTP endpoints, allowing att

CVE-2022-30953 MEDIUM
6.5 May 17

A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.25.3 and earlier allows attackers to co

CVE-2020-2254 MEDIUM
6.5 Sep 16

Jenkins Blue Ocean Plugin 1.23.2 and earlier provides an undocumented feature flag that, when enabled, allows an attacke

CVE-2019-1003012 MEDIUM
6.5 Feb 06

A data modification vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueocean-core-js/src/js/bu

CVE-2019-1003013 MEDIUM
5.4 Feb 06

An cross-site scripting vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueocean-commons/src/m

CVE-2017-1000105 MEDIUM
5.3 Oct 05

The optional Run/Artifacts permission can be enabled by setting a Java system property. Rated medium severity (CVSS 5.3)

CVE-2017-1000110 MEDIUM
4.3 Oct 05

Blue Ocean allows the creation of GitHub organization folders that are set up to scan a GitHub organization for reposito

CVE-2020-2255 MEDIUM
4.3 Sep 16

A missing permission check in Jenkins Blue Ocean Plugin 1.23.2 and earlier allows attackers with Overall/Read permission

Share

CVE-2022-30952 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy