CVE-2022-45384 – org.jenkins-ci.main:reverse-proxy-auth-plugin

Package

Manager: maven
Name: org.jenkins-ci.main:reverse-proxy-auth-plugin
Vulnerable Version: >=1.7.3 <1.7.4

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.0008 pctl0.2453

Details

Jenkins Reverse Proxy Auth Plugin vulnerable due to plaintext storage of passwords Jenkins Reverse Proxy Auth Plugin versions 1.7.3 and earlier stores the LDAP manager password unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by attackers with access to the Jenkins controller file system.

Metadata

Created: 2022-11-16T12:00:23Z
Modified: 2025-04-30T20:25:23Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-wcjj-qm5v-j4pc/GHSA-wcjj-qm5v-j4pc.json
CWE IDs: ["CWE-256", "CWE-522"]
Alternative ID: GHSA-wcjj-qm5v-j4pc
Finding: F085
Auto approve: 1