CVE-2022-45384 is a vulnerability identified in the Jenkins Reverse Proxy Auth Plugin, specifically versions 1.7.3 and earlier. This plugin is used within Jenkins environments to facilitate authentication via a reverse proxy, often integrating with LDAP for user management. The vulnerability arises because the LDAP manager password is stored unencrypted in the global config.xml file on the Jenkins controller. This file resides on the Jenkins controller's file system and can be accessed by any attacker who has file system access to the controller. The exposure of the LDAP manager password compromises confidentiality, as an attacker can retrieve credentials that may allow further unauthorized access to the LDAP directory or other systems relying on these credentials. The vulnerability is classified under CWE-522, which relates to the storage of passwords in a recoverable format. The CVSS v3.1 base score is 6.5 (medium severity) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating that the vulnerability can be exploited remotely over the network with low attack complexity, requires low privileges (authenticated user), no user interaction, and impacts confidentiality significantly but does not affect integrity or availability. No known exploits in the wild have been reported to date. The vulnerability was published on November 15, 2022. No patch links are provided in the source information, so it is unclear if a fixed version is available or if mitigation relies on configuration changes or access controls. The core risk is that an attacker who gains access to the Jenkins controller file system—potentially through other vulnerabilities or insider threat—can extract sensitive LDAP credentials, which may lead to broader compromise of enterprise authentication infrastructure.

For European organizations, this vulnerability poses a significant risk to the security of Jenkins-based CI/CD pipelines and the broader enterprise authentication environment. Jenkins is widely used across Europe in software development and IT operations, including in critical infrastructure, financial services, manufacturing, and government sectors. The exposure of LDAP manager credentials can lead to unauthorized access to user directories, enabling attackers to escalate privileges, move laterally within networks, or exfiltrate sensitive data. Since the vulnerability requires file system access to the Jenkins controller, it often implies that an attacker has already breached perimeter defenses or gained insider access, making this vulnerability a critical post-compromise risk. The confidentiality impact is high, as credentials are exposed in plaintext, but integrity and availability of Jenkins services are not directly affected by this vulnerability. However, the potential for credential theft can indirectly lead to further attacks that compromise system integrity and availability. The medium CVSS score reflects the requirement for some level of authenticated access or prior compromise, but the ease of password extraction once access is obtained increases the threat level. European organizations with strict data protection regulations (e.g., GDPR) may face compliance risks if such credential exposures lead to data breaches.

1. Immediately restrict file system access on Jenkins controllers to trusted administrators only, enforcing strict access controls and monitoring for unauthorized access attempts. 2. Rotate LDAP manager passwords regularly and especially after any suspected compromise or exposure. 3. Avoid using the Jenkins Reverse Proxy Auth Plugin versions 1.7.3 and earlier; upgrade to a fixed version if available or consider alternative authentication methods that do not store sensitive credentials in plaintext. 4. Implement encryption or secure credential storage mechanisms for sensitive configuration data, such as Jenkins credentials plugins or external secrets management solutions (e.g., HashiCorp Vault, Azure Key Vault). 5. Monitor Jenkins controller logs and file system access logs for suspicious activity indicative of unauthorized access. 6. Conduct regular security audits and vulnerability scans on Jenkins infrastructure to detect misconfigurations or unauthorized file access. 7. Limit the use of LDAP manager accounts with minimal privileges necessary to reduce the impact of credential exposure. 8. Employ network segmentation to isolate Jenkins controllers from broader enterprise networks to reduce the risk of lateral movement if compromised. 9. Educate administrators and DevOps teams about secure credential handling and the risks of storing passwords in plaintext.