Description
Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by attackers with Extended Read permission, or access to the Jenkins controller file system.
Remediation
References
https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2912
http://www.openwall.com/lists/oss-security/2022/11/15/4
Related Vulnerabilities
CVE-2016-3093 Vulnerability in maven package com.opensymphony:xwork-core
CVE-2023-43495 Vulnerability in maven package org.jenkins-ci.main:jenkins-core
CVE-2020-8203 Vulnerability in maven package org.webjars.bowergithub.lodash:lodash
CVE-2019-3772 Vulnerability in maven package org.springframework.integration:spring-integration-xml
CVE-2023-29566 Vulnerability in npm package dawnsparks-node-tesseract