Jenkins Metrics Plugin 4.0.2.8 and earlier stores an access key unencrypted in its global configuration file `jenkins.metrics.api.MetricsAccessKey.xml` on the Jenkins controller as part of its configuration.

This access key can be viewed by users with access to the Jenkins controller file system.

Jenkins Metrics Plugin 4.0.2.8.1 stores access key encrypted once its configuration is saved again.

Additionally, the token value is only displayed once when it is generated.

Affected Packages

Maven org.jenkins-ci.plugins:metrics

Affected versions: 4.0.2.8 (fixed in 4.0.2.8.1)

Maven org.jenkins-ci.plugins:metrics

Affected versions: 0 (fixed in 4.0.2.7.1)

Related CVEs

CVE-2022-20621

Key Information

GHSA ID

GHSA-gg9m-x3cg-69vh

Published

January 13, 2022 12:00 AM

Last Modified

October 27, 2023 4:17 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

org.jenkins-ci.plugins:metrics

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 25, 2025 6:33 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.