Description
Jenkins Reverse Proxy Auth Plugin 1.7.3 and earlier stores the LDAP manager password unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by attackers with access to the Jenkins controller file system.
Remediation
References
https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2094
http://www.openwall.com/lists/oss-security/2022/11/15/4
Related Vulnerabilities
CVE-2022-36894 Vulnerability in maven package org.jenkins-ci.plugins:clif-performance-testing
CVE-2021-31411 Vulnerability in maven package com.vaadin:flow-server
CVE-2016-8747 Vulnerability in maven package org.apache.tomcat:tomcat-coyote
CVE-2022-37422 Vulnerability in maven package fish.payara.server.internal.web:web-core
CVE-2021-39176 Vulnerability in npm package detect-character-encoding