Description

Jenkins Build Notifications Plugin 1.5.0 and earlier stores tokens unencrypted in its global configuration files on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

Remediation

References

https://www.jenkins.io/security/advisory/2022-06-30/#SECURITY-2056

Related Vulnerabilities

CVE-2018-20677 Vulnerability in npm package bootstrap-sass

CVE-2011-4838 Vulnerability in maven package jruby:jruby

CVE-2020-13934 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core

CVE-2012-5633 Vulnerability in maven package org.apache.cxf:cxf-bundle-minimal

CVE-2019-1003037 Vulnerability in maven package org.jenkins-ci.plugins:azure-vm-agents

Severity

Medium

Classification

CWE-522 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Vendor Advisory