Description

Jenkins Dingding JSON Pusher Plugin 2.0 and earlier does not mask access tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them.

Remediation

References

http://www.openwall.com/lists/oss-security/2023/12/13/4

https://www.jenkins.io/security/advisory/2023-12-13/#SECURITY-3184

Related Vulnerabilities

CVE-2019-16728 Vulnerability in npm package dompurify

CVE-2023-28103 Vulnerability in npm package matrix-react-sdk

CVE-2021-41184 Vulnerability in maven package org.webjars.npm:jquery-ui

CVE-2020-27196 Vulnerability in maven package com.typesafe.play:play-java

CVE-2021-36372 Vulnerability in maven package org.apache.ozone:ozone-common

Severity

Medium

Classification

CWE-312 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Mailing List Vendor Advisory