Description

Jenkins GitHub Pull Request Coverage Status Plugin 2.2.0 and earlier stores the GitHub Personal Access Token, Sonar access token and Sonar password unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

Remediation

References

https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-2767

Related Vulnerabilities

CVE-2022-28732 Vulnerability in maven package org.apache.jspwiki:jspwiki-war

CVE-2011-5062 Vulnerability in maven package org.apache.tomcat:catalina

CVE-2023-38700 Vulnerability in npm package matrix-appservice-irc

CVE-2015-2080 Vulnerability in maven package org.eclipse.jetty:jetty-http

CVE-2013-4221 Vulnerability in maven package org.restlet:org.restlet

Severity

Medium

Classification

CWE-312 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory