CVE-2022-45392 - Unencrypted Passwords in Jenkins NS-ND Integration Performance Publisher Plugin—What You Need to Know

In the world of DevOps, Jenkins is a backbone for automation. But with its flexibility comes responsibility—especially when plugins manage sensitive information. Today, let’s talk about a real-world vulnerability: CVE-2022-45392, which could put your Jenkins credentials at serious risk.

This issue lurks within the NS-ND Integration Performance Publisher Plugin (up to and including version 4.8..143). Let’s break it down, so you know exactly what it is, see the code at fault, understand how attackers might break in, and what you should do right now.

What’s the Problem?

The vulnerability is pretty straightforward:  
The plugin stores passwords *in plain text*, right inside your Jenkins job configuration—specifically, the config.xml file.

This sensitive information can be accessed by two main methods

1. Extended Read permission: Any Jenkins user with this permission can read these files from the web interface.
2. File system access: Anyone with access to the Jenkins server file system can simply open the file and see your credentials.

Here’s an example of what gets written to config.xml

<com.sqm.qualitypublisher.NsNdPublisher>
  <serverAddress>http://test-server</serverAddress>;
  <username>admin</username>
  <password>SuperSecret123</password> <!-- THIS IS STORED IN PLAIN TEXT -->
</com.sqm.qualitypublisher.NsNdPublisher>

There’s no encryption or secret masking. Anyone with access to this file sees the real password.

Exploit Scenario

Imagine you’re running Jenkins and using this plugin. You add a job, store your credentials as part of the job configuration.

Method 1: Extended Read permission

If a malicious Jenkins user has “Extended Read” permissions on a job, they can request /job/<job-name>/config.xml via the Jenkins web UI or API. The full credentials come back in plain text.

Method 2: File System Access

If an attacker (maybe a rogue admin or someone who got into your server) can browse files on the Jenkins controller, they can just go to:

/var/lib/jenkins/jobs/<job-name>/config.xml

…and open it to read the credentials immediately.

Real-World Example - Python Snippet

Let’s say you have file system access. Here’s a quick Python script to scrape all stored plugin passwords from Jenkins job configs:

import os
import xml.etree.ElementTree as ET

JENKINS_HOME = '/var/lib/jenkins/jobs/'

for job_name in os.listdir(JENKINS_HOME):
    job_dir = os.path.join(JENKINS_HOME, job_name)
    config_file = os.path.join(job_dir, 'config.xml')
    if os.path.exists(config_file):
        tree = ET.parse(config_file)
        root = tree.getroot()
        for publisher in root.iter('com.sqm.qualitypublisher.NsNdPublisher'):
            password = publisher.find('password').text
            if password:
                print(f'Job: {job_name}, Password: {password}')

Dangerous, right? Anyone with basic access could pilfer all credentials with a script like this.

Who’s Affected?

- Jenkins servers using the NS-ND Integration Performance Publisher Plugin, version 4.8..143 or older.
- Multi-user Jenkins instances where non-admin users have Extended Read or you have untrusted people with file system access.

Official Advisory & Reference Links

- Jenkins Security Advisory: https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2858
- NVD CVE Record: https://nvd.nist.gov/vuln/detail/CVE-2022-45392
- GitHub Issue: https://github.com/jenkinsci/nsnd-publisher-plugin/security/advisories/GHSA-5c53-wgjr-cvm6

How to Fix It?

If you’re using this plugin, update it.  
The plugin maintainers fixed the issue in later versions by using the Jenkins credentials plugin system, which stores secrets encrypted.

Rotate passwords you had in job configs, as they may be compromised.

3. Make sure only trusted admins have file system access and restrict “Extended Read” Jenkins permission.

TL;DR

- CVE-2022-45392 is a “credential leak” bug in the Jenkins NS-ND Integration Performance Publisher Plugin < 4.8..143.
- Passwords are stored in plain text in config.xml on the Jenkins controller, accessible by users with Extended Read or file access.

Update the plugin, rotate passwords, and review permissions now.

Stay safe, and always treat credentials with care—automation should never mean neglecting security.


*This exclusive write-up is tailored for real-world Jenkins admins and curious security professionals. If you’re running Jenkins, don’t sleep on this bug. Patch it before someone else takes your secrets!*

Timeline

Published on: 11/15/2022 20:15:00 UTC
Last modified on: 11/18/2022 04:49:00 UTC