Description

Jenkins Dingding JSON Pusher Plugin 2.0 and earlier does not mask access tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them.

Remediation

References

http://www.openwall.com/lists/oss-security/2023/12/13/4

https://www.jenkins.io/security/advisory/2023-12-13/#SECURITY-3184

Related Vulnerabilities

CVE-2022-34213 Vulnerability in maven package org.jenkins-ci.plugins:squashtm-publisher

CVE-2022-33140 Vulnerability in maven package org.apache.nifi.registry:nifi-registry-core

CVE-2018-17187 Vulnerability in maven package org.apache.qpid:proton-j

CVE-2020-26523 Vulnerability in npm package froala-editor

CVE-2019-1003051 Vulnerability in maven package org.jvnet.hudson.plugins:ircbot

Severity

Medium

Classification

CWE-312 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Mailing List Vendor Advisory