Description

Jenkins Build Notifications Plugin 1.5.0 and earlier stores tokens unencrypted in its global configuration files on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

Remediation

References

https://www.jenkins.io/security/advisory/2022-06-30/#SECURITY-2056

Related Vulnerabilities

CVE-2023-1108 Vulnerability in maven package io.undertow:undertow-core

CVE-2021-20195 Vulnerability in maven package org.keycloak:keycloak-core

CVE-2011-4343 Vulnerability in maven package org.apache.myfaces.core.internal:myfaces-impl-shared

CVE-2022-38369 Vulnerability in maven package org.apache.iotdb:iotdb-server

CVE-2015-8862 Vulnerability in maven package org.webjars.bower:mustache

Severity

Medium

Classification

CWE-522 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Vendor Advisory