Description
An exposure of sensitive information vulnerability exists in Jenkins OpenId Connect Authentication Plugin 1.4 and earlier in OicSecurityRealm/config.jelly that allows attackers able to view a Jenkins administrator's web browser output, or control the browser (e.g. malicious extension) to retrieve the configured client secret.
Remediation
References
https://jenkins.io/security/advisory/2019-01-28/#SECURITY-886
Related Vulnerabilities
CVE-2018-1062 Vulnerability in maven package org.ovirt.engine.core:vdsbroker
CVE-2018-12545 Vulnerability in maven package org.eclipse.jetty.http2:http2-common
CVE-2022-36033 Vulnerability in maven package org.jsoup:jsoup
CVE-2017-1000505 Vulnerability in maven package org.jenkins-ci.plugins:script-security
CVE-2020-17531 Vulnerability in maven package org.apache.tapestry:tapestry-core