CVE-2022-36901

MEDIUM

Jenkins HTTP Request < 1.15 - Insufficiently Protected Credentials

Title source: rule

Description

Jenkins HTTP Request Plugin 1.15 and earlier stores HTTP Request passwords unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

References (2)

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2022/07/27/1

[Vendor Advisory] https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-2053

Scores

CVSS v3 6.5

EPSS 0.0046

EPSS Percentile 64.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Classification

CWE

CWE-522

Status published

Affected Products (2)

jenkins/http_request < 1.15

org.jenkins-ci.plugins/http_request < 1.16Maven

Timeline

Published Jul 27, 2022

Tracked Since Feb 18, 2026