Description

Jenkins Dingding JSON Pusher Plugin 2.0 and earlier does not mask access tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them.

Remediation

References

http://www.openwall.com/lists/oss-security/2023/12/13/4

https://www.jenkins.io/security/advisory/2023-12-13/#SECURITY-3184

Related Vulnerabilities

CVE-2021-37533 Vulnerability in maven package commons-net:commons-net

CVE-2023-22457 Vulnerability in maven package org.xwiki.contrib:application-ckeditor-plugins

CVE-2022-25186 Vulnerability in maven package com.datapipe.jenkins.plugins:hashicorp-vault-plugin

CVE-2020-2140 Vulnerability in maven package org.jenkins-ci.plugins:audit-trail

CVE-2020-35451 Vulnerability in maven package org.apache.oozie:oozie-tools

Severity

Medium

Classification

CWE-312 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Mailing List Vendor Advisory