Description

Jenkins Slack Upload Plugin 1.7 and earlier stores a secret unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.

Remediation

References

https://jenkins.io/security/advisory/2020-07-02/#SECURITY-1627

http://www.openwall.com/lists/oss-security/2020/07/02/7

Related Vulnerabilities

CVE-2014-7810 Vulnerability in maven package org.apache.tomcat:el-api

CVE-2014-3500 Vulnerability in npm package cordova-android

CVE-2017-1000400 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2023-49210 Vulnerability in npm package openssl

CVE-2016-0763 Vulnerability in maven package org.apache.tomcat:tomcat-catalina

Severity

Medium

Classification

CWE-522 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Vendor Advisory Mailing List Third Party Advisory