Jenkins is an automation tool famous in the DevOps world for continuous integration and continuous delivery (CI/CD). Like any software, it uses plugins to extend its functionality. One such plugin is "Metrics." In early 2022, a security issue was found in the Jenkins Metrics Plugin (versions 4..2.8 and earlier): CVE-2022-20621. This vulnerability exposed access keys in plain text, putting your Jenkins environment (and possibly your whole CI pipeline) at risk.
This long read will break down this vulnerability in simple terms: what happened, how it could be exploited, and what you can do about it. We'll throw in code snippets for those who want to see the nitty-gritty and provide essential links to stay informed.
What is Jenkins Metrics Plugin?
The Metrics Plugin is used to monitor Jenkins’ performance. It provides a set of monitoring endpoints and gathers various metrics that can be sent to external monitoring systems. Sometimes, these external systems require authentication, so admins can enter access keys into plugin settings.
The Problem
- Jenkins Metrics Plugin (4..2.8 and earlier) stored access keys in plain text inside its main configuration XML file.
This file is located on the Jenkins controller server (not the agent nodes).
- Anyone with filesystem access on the Jenkins controller (even at a limited level) could open this config file and read the access key.
Plain English: If someone could get onto your Jenkins server, they could easily find and steal your monitoring system’s secret access key.
In Jenkins, each plugin can have its own configuration file. For Metrics, it’s generally in
$JENKINS_HOME/metrics-configuration.xml
If you open this file before patching, you might see something like this
<metrics-plugin>
<endpoint>https://metrics.example.com/api</endpoint>;
<accessKey>supersecretkey123</accessKey>
<enabled>true</enabled>
</metrics-plugin>
Notice: The <accessKey> value is just sitting there, not encrypted or masked.
Anyone running Jenkins Metrics Plugin 4..2.8 or older
- If your Jenkins controller isn’t locked down (e.g., developers, testers, or even attackers have access), then those users can grab sensitive keys.
The most immediate threat is an attacker who already has some access to your Jenkins server. This could be:
Someone who found an exposed or weak credential on the server
While the attack requires filesystem access, in most organizations, it’s still easier than forcing a plugin to spit out secrets via a network attack.
Imagine an attacker with SSH or local access (like a developer account). The attack would be trivial
cat $JENKINS_HOME/metrics-configuration.xml | grep accessKey
# Output:
# <accessKey>supersecretkey123</accessKey>
Or in Python (if you wanted to automate it)
import xml.etree.ElementTree as ET
tree = ET.parse('/var/lib/jenkins/metrics-configuration.xml')
root = tree.getroot()
for access_key in root.iter('accessKey'):
print("Access Key found:", access_key.text)
Automated Extraction Over Many Hosts
If an attacker had access to several Jenkins controllers, they could scan each one for unencrypted keys using a shell script:
find / -name "metrics-configuration.xml" -exec grep accessKey {} \; 2>/dev/null
Result: All discovered access keys printed to their screen.
Connect to your metrics server: They can view or manipulate monitoring data.
- Masquerade as Jenkins: If the key is used for authentication, they might submit fake performance reports.
Pivot: Gaining more information about your setup could lead to further attacks.
Worse, if you’re recycling the same key for other services (never a good idea), impacts could go beyond metrics.
Regularly audit configuration files for secrets.
The Jenkins team patched this in later releases of the Metrics Plugin, storing access keys encrypted at rest.
Rotate Your Access Key
- After updating, generate a new key on your metrics system and update Jenkins with the new (and now encrypted) key.
References and Links
- CVE-2022-20621 (MITRE)
- Jenkins Security Advisory for CVE-2022-20621
- Jenkins Metrics Plugin change log
- Jenkins Plugin Documentation
Final Thoughts
Jenkins is a powerful tool, but with great power comes the need for great caution. CVE-2022-20621 is a reminder to always check how secrets are stored—especially in plugin configuration files. If you still run an old version of the Metrics plugin, you need to upgrade and rotate your keys as soon as possible.
Timeline
Published on: 01/12/2022 20:15:00 UTC
Last modified on: 01/18/2022 19:27:00 UTC