Description
Jenkins instant-messaging Plugin 1.41 and earlier stores passwords for group chats unencrypted in the global configuration file of plugins based on Jenkins instant-messaging Plugin on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.
Remediation
References
http://www.openwall.com/lists/oss-security/2022/03/29/1
https://www.jenkins.io/security/advisory/2022-03-29/#SECURITY-2161
Related Vulnerabilities
CVE-2021-25946 Vulnerability in npm package nconf-toml
CVE-2019-1010091 Vulnerability in maven package org.webjars:tinymce
CVE-2021-41174 Vulnerability in npm package @grafana/data
CVE-2020-6449 Vulnerability in maven package org.webjars.npm:electron
CVE-2023-29566 Vulnerability in npm package dawnsparks-node-tesseract