Description

Jenkins Dingding JSON Pusher Plugin 2.0 and earlier does not mask access tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them.

Remediation

References

http://www.openwall.com/lists/oss-security/2023/12/13/4

https://www.jenkins.io/security/advisory/2023-12-13/#SECURITY-3184

Related Vulnerabilities

CVE-2019-10424 Vulnerability in maven package com.technicolor:eloyente

CVE-2020-2235 Vulnerability in maven package org.jenkins-ci.plugins:pipeline-maven-parent

CVE-2018-8013 Vulnerability in maven package org.eclipse.birt.runtime:org.apache.batik.dom

CVE-2023-41339 Vulnerability in maven package org.geoserver:gs-wms

CVE-2023-40028 Vulnerability in npm package ghost

Severity

Medium

Classification

CWE-312 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Mailing List Vendor Advisory