HTTP Request Plugin 1.15 and earlier stores HTTP Request passwords unencrypted in its global configuration file `jenkins.plugins.http_request.HttpRequest.xml` on the Jenkins controller as part of its configuration when using (deprecated) Basic/Digest Authentication. These passwords can be viewed by users with access to the Jenkins controller file system.

Affected Packages

Maven org.jenkins-ci.plugins:http_request

Affected versions: 0 (fixed in 1.16)

Related CVEs

CVE-2022-36901

Key Information

GHSA ID

GHSA-2qh6-hhvv-m2ww

Published

July 28, 2022 12:00 AM

Last Modified

December 9, 2022 5:01 PM

CVSS Score

2.5 /10

Primary Ecosystem

Maven

Primary Package

org.jenkins-ci.plugins:http_request

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 27, 2025 6:31 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.