Description
Jenkins Mattermost Notification Plugin 2.7.0 and earlier stored webhook URLs containing a secret token unencrypted in its global configuration file and job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.
Remediation
References
http://www.openwall.com/lists/oss-security/2019/10/23/2
https://jenkins.io/security/advisory/2019-10-23/#SECURITY-1628
Related Vulnerabilities
CVE-2022-24709 Vulnerability in npm package @awsui/components-react
CVE-2016-8749 Vulnerability in maven package org.apache.camel:camel-jacksonxml
CVE-2020-7784 Vulnerability in npm package ts-process-promises
CVE-2021-23358 Vulnerability in npm package underscore
CVE-2022-28367 Vulnerability in maven package org.owasp.antisamy:antisamy