Description

Jenkins RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

Remediation

References

https://www.jenkins.io/security/advisory/2022-06-30/#SECURITY-2088

Related Vulnerabilities

CVE-2021-37580 Vulnerability in maven package org.apache.shenyu:shenyu-admin

CVE-2023-37909 Vulnerability in maven package org.xwiki.platform:xwiki-platform-menu-ui

CVE-2023-30531 Vulnerability in maven package org.jenkins-ci.plugins:consul-kv-builder

CVE-2022-36098 Vulnerability in maven package org.xwiki.platform:xwiki-platform-mentions-ui

CVE-2020-6541 Vulnerability in npm package electron

Severity

Medium

Classification

CWE-522 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Vendor Advisory