Description
Jenkins Mattermost Notification Plugin 2.7.0 and earlier stored webhook URLs containing a secret token unencrypted in its global configuration file and job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.
Remediation
References
https://jenkins.io/security/advisory/2019-10-23/#SECURITY-1628
http://www.openwall.com/lists/oss-security/2019/10/23/2
Related Vulnerabilities
CVE-2015-2944 Vulnerability in maven package org.apache.sling:org.apache.sling.api
CVE-2022-36913 Vulnerability in maven package org.jenkins-ci.plugins:openstack-heat
CVE-2021-21631 Vulnerability in maven package org.jenkins-ci.plugins:cloud-stats
CVE-2022-29546 Vulnerability in maven package net.sourceforge.htmlunit:neko-htmlunit
CVE-2017-7677 Vulnerability in maven package org.apache.ranger:ranger