Description
Jenkins Mattermost Notification Plugin 2.7.0 and earlier stored webhook URLs containing a secret token unencrypted in its global configuration file and job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.
Remediation
References
https://jenkins.io/security/advisory/2019-10-23/#SECURITY-1628
http://www.openwall.com/lists/oss-security/2019/10/23/2
Related Vulnerabilities
CVE-2023-28709 Vulnerability in maven package org.apache.tomcat:tomcat-catalina
CVE-2022-23647 Vulnerability in npm package prismjs
CVE-2023-2968 Vulnerability in npm package proxy
CVE-2022-47551 Vulnerability in maven package io.apiman:apiman-manager-api-beans
CVE-2022-43183 Vulnerability in maven package com.xuxueli:xxl-job-core