Join the Cyber Forum: Threat Intel on May 12, 2026 to learn how AI is reshaping threat defense.Join the Virtual Cyber Forum: Threat IntelRegister Now
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2022-20621

CVE-2022-20621: Jenkins Metrics Information Disclosure Flaw

CVE-2022-20621 is an information disclosure vulnerability in Jenkins Metrics Plugin that exposes unencrypted access keys to users with file system access. This article covers technical details, affected versions, and mitigation.

Published: February 11, 2026

CVE-2022-20621 Overview

CVE-2022-20621 is a sensitive data exposure vulnerability affecting the Jenkins Metrics Plugin version 4.0.2.8 and earlier. The vulnerability exists because the plugin stores an access key unencrypted in its global configuration file on the Jenkins controller, potentially allowing unauthorized users with access to the Jenkins controller file system to view and extract the sensitive credential.

Critical Impact

Unauthorized users with file system access to the Jenkins controller can retrieve plaintext access keys, potentially leading to unauthorized access to metrics endpoints and further compromise of the Jenkins environment.

Affected Products

  • Jenkins Metrics Plugin versions 4.0.2.8 and earlier

Discovery Timeline

  • 2022-01-12 - CVE-2022-20621 published to NVD
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2022-20621

Vulnerability Analysis

This vulnerability is classified under CWE-522 (Insufficiently Protected Credentials). The Jenkins Metrics Plugin fails to properly encrypt sensitive access keys when storing them in the global configuration file. When the plugin is configured on a Jenkins controller, the access key used for authenticating to metrics endpoints is written to disk in plaintext format.

This insecure storage mechanism creates a significant risk in shared environments or scenarios where multiple users have varying levels of access to the Jenkins controller file system. An attacker with local access privileges could simply read the configuration file to extract the access key without needing to bypass any cryptographic protections.

Root Cause

The root cause of this vulnerability lies in the plugin's failure to implement proper credential encryption before persisting sensitive data to the file system. Jenkins provides APIs for securely storing credentials using encryption, but the Metrics Plugin did not utilize these mechanisms for the access key storage. Instead, the access key is stored as plaintext in the plugin's global configuration XML file on the Jenkins controller.

Attack Vector

The attack vector is local, requiring the attacker to have some level of access to the Jenkins controller file system. An attacker could exploit this vulnerability through several means:

  1. Direct file system access as a legitimate but lower-privileged user on the Jenkins server
  2. Access through compromised backup systems that contain Jenkins configuration files
  3. Exploitation of another vulnerability that grants file read access to the Jenkins controller

Once the attacker gains access to the configuration file, extracting the plaintext access key is trivial. The attacker can then use this key to authenticate to Jenkins Metrics endpoints, potentially gaining insights into system performance data or using the compromised credentials for lateral movement if the same credentials are reused elsewhere.

Detection Methods for CVE-2022-20621

Indicators of Compromise

  • Unusual access patterns to Jenkins configuration directories or files
  • Unexpected reads of the Metrics Plugin configuration file by unauthorized users or processes
  • Authentication attempts to metrics endpoints from unusual IP addresses or user accounts
  • Audit log entries showing file system access to Jenkins controller configuration directories

Detection Strategies

  • Implement file integrity monitoring on Jenkins configuration directories to detect unauthorized access
  • Review Jenkins file system access logs for suspicious read operations targeting plugin configuration files
  • Monitor authentication logs for the metrics endpoints for anomalous access patterns
  • Conduct periodic audits of users and processes with access to the Jenkins controller file system

Monitoring Recommendations

  • Enable detailed audit logging for file system operations on the Jenkins controller
  • Configure alerting for access to sensitive configuration directories outside of normal maintenance windows
  • Implement role-based access controls and monitor for privilege escalation attempts
  • Use SentinelOne Singularity Platform to detect and alert on suspicious file access patterns on Jenkins servers

How to Mitigate CVE-2022-20621

Immediate Actions Required

  • Upgrade the Jenkins Metrics Plugin to a version newer than 4.0.2.8 that addresses this vulnerability
  • Restrict file system access to the Jenkins controller to only essential personnel and processes
  • Rotate the access key used by the Metrics Plugin after upgrading to ensure any potentially compromised keys are invalidated
  • Review access logs to determine if the configuration file containing the plaintext key was accessed by unauthorized parties

Patch Information

Jenkins has released a security advisory addressing this vulnerability. Users should update to the latest version of the Metrics Plugin that properly encrypts the access key in the configuration file. Detailed information about the patch can be found in the Jenkins Security Advisory SECURITY-1624.

Workarounds

  • Implement strict file system permissions on the Jenkins controller to limit access to configuration files
  • Use operating system-level access controls to restrict which users can read the Jenkins home directory
  • Consider using Jenkins' built-in credential management system to store sensitive keys rather than plugin-specific configuration
  • Monitor and audit file access to the Jenkins configuration directory as an interim measure until the plugin can be updated
bash
# Restrict file permissions on Jenkins configuration directory
chmod 700 /var/lib/jenkins
chown -R jenkins:jenkins /var/lib/jenkins

# Verify Metrics Plugin version
java -jar jenkins-cli.jar -s http://localhost:8080/ list-plugins | grep metrics

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeInformation Disclosure
  • Vendor/TechJenkins
  • SeverityMEDIUM
  • CVSS Score5.5
  • EPSS Probability0.02%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityNone
  • CWE References
  • CWE-522
  • Technical References
  • Openwall Security List Discussion
  • Vendor Resources
  • Jenkins Security Advisory SECURITY-1624
  • Related CVEs
  • CVE-2026-33004: Jenkins LoadNinja Information Disclosure
  • CVE-2026-33003: Jenkins LoadNinja Plugin API Key Exposure
  • CVE-2026-27100: Jenkins Information Disclosure Vulnerability
  • CVE-2024-23897: Jenkins Information Disclosure Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English