CVE-2022-34807: 
Java vulnerability analysis and mitigation

CVE-2022-34807 (SECURITY-2073) affects the Jenkins Elasticsearch Query Plugin versions 1.2 and earlier. The vulnerability was disclosed on June 30, 2022, and is classified as a low severity issue. The vulnerability affects the plugin's handling of passwords in its global configuration file (Jenkins Advisory).

The vulnerability has a CVSS v3.1 Base Score of 6.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The issue is classified under CWE-522 (Insufficiently Protected Credentials). The vulnerability stems from the plugin storing passwords unencrypted in its global configuration file org.jenkinsci.plugins.elasticsearchquery.ElasticsearchQueryBuilder.xml on the Jenkins controller (NVD).

The vulnerability exposes passwords to users who have access to the Jenkins controller file system. These exposed credentials could potentially be used for unauthorized access to the Elasticsearch service (Jenkins Advisory).

As of the advisory's publication date, no fix is available for this vulnerability in the Elasticsearch Query Plugin. Organizations should carefully consider who has access to the Jenkins controller file system and implement appropriate access controls (Jenkins Advisory).