Description

Jenkins Build Notifications Plugin 1.5.0 and earlier stores tokens unencrypted in its global configuration files on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

Remediation

References

https://www.jenkins.io/security/advisory/2022-06-30/#SECURITY-2056

Related Vulnerabilities

CVE-2020-13940 Vulnerability in maven package org.apache.nifi:nifi-bootstrap

CVE-2019-10342 Vulnerability in maven package io.jenkins.docker:docker-plugin

CVE-2019-10170 Vulnerability in maven package org.keycloak:keycloak-services

CVE-2023-31417 Vulnerability in maven package org.elasticsearch:elasticsearch

CVE-2016-3081 Vulnerability in maven package org.apache.struts.xwork:xwork-core

Severity

Medium

Classification

CWE-522 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Vendor Advisory