CVE-2022-29052
First published: Tue Apr 12 2022(Updated: )
Jenkins Google Compute Engine Plugin 4.3.8 and earlier stores private keys unencrypted in cloud agent config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Jenkins Google Compute Engine | <=4.3.8 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is CVE-2022-29052?
CVE-2022-29052 is a vulnerability in the Jenkins Google Compute Engine Plugin 4.3.8 and earlier, where private keys are stored unencrypted in cloud agent config.xml files on the Jenkins controller.
How does CVE-2022-29052 impact Jenkins?
CVE-2022-29052 allows users with Extended Read permission or access to the Jenkins controller file system to view private keys stored in cloud agent config.xml files.
What is the severity of CVE-2022-29052?
The severity of CVE-2022-29052 is medium with a CVSS score of 4.3.
How can I fix CVE-2022-29052 in Jenkins?
To fix CVE-2022-29052, update the Jenkins Google Compute Engine Plugin to version 4.3.9 or later.
Where can I find more information about CVE-2022-29052?
You can find more information about CVE-2022-29052 in the Jenkins security advisory: https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-2045
- collector/nvd-index
- collector/nvd-api
- agent/severity
- agent/author
- agent/references
- agent/weakness
- agent/type
- agent/tags
- agent/event
- agent/description
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- vendor/jenkins
- canonical/jenkins google compute engine
- version/jenkins google compute engine/4.3.8