Description

Jenkins Build Notifications Plugin 1.5.0 and earlier stores tokens unencrypted in its global configuration files on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

Remediation

References

https://www.jenkins.io/security/advisory/2022-06-30/#SECURITY-2056

Related Vulnerabilities

CVE-2021-34797 Vulnerability in maven package org.apache.geode:geode-core

CVE-2009-0781 Vulnerability in maven package org.apache.tomcat:catalina

CVE-2014-0035 Vulnerability in maven package org.apache.cxf:cxf-rt-ws-security

CVE-2015-0227 Vulnerability in maven package org.apache.wss4j:wss4j-ws-security-dom

CVE-2022-43441 Vulnerability in maven package org.webjars.npm:sqlite3

Severity

Medium

Classification

CWE-522 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Vendor Advisory