Description

Jenkins Dingding JSON Pusher Plugin 2.0 and earlier does not mask access tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them.

Remediation

References

http://www.openwall.com/lists/oss-security/2023/12/13/4

https://www.jenkins.io/security/advisory/2023-12-13/#SECURITY-3184

Related Vulnerabilities

CVE-2023-31098 Vulnerability in maven package org.apache.inlong:manager-pojo

CVE-2020-36185 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind

CVE-2022-44645 Vulnerability in maven package org.apache.linkis:linkis-metadata-query-service-jdbc

CVE-2022-45400 Vulnerability in maven package org.jvnet.hudson.plugins:japex

CVE-2020-36186 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind

Severity

Medium

Classification

CWE-312 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Mailing List Vendor Advisory