Description

Jenkins Build Notifications Plugin 1.5.0 and earlier stores tokens unencrypted in its global configuration files on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

Remediation

References

https://www.jenkins.io/security/advisory/2022-06-30/#SECURITY-2056

Related Vulnerabilities

CVE-2021-21165 Vulnerability in maven package org.webjars.npm:electron

CVE-2021-22095 Vulnerability in maven package org.springframework.amqp:spring-amqp

CVE-2018-17960 Vulnerability in npm package ckeditor

CVE-2015-5254 Vulnerability in maven package org.apache.activemq:activemq-all

CVE-2014-8110 Vulnerability in maven package org.apache.activemq:activemq-web-console

Severity

Medium

Classification

CWE-522 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Vendor Advisory