Description

Jenkins RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

Remediation

References

https://www.jenkins.io/security/advisory/2022-06-30/#SECURITY-2088

Related Vulnerabilities

CVE-2017-5644 Vulnerability in maven package org.apache.poi:poi-ooxml

CVE-2023-30531 Vulnerability in maven package org.jenkins-ci.plugins:consul-kv-builder

CVE-2018-1000113 Vulnerability in maven package org.jenkins-ci.plugins:testlink

CVE-2019-16303 Vulnerability in npm package generator-jhipster-kotlin

CVE-2018-1000170 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

Severity

Medium

Classification

CWE-522 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Vendor Advisory