Description

Jenkins GitHub Pull Request Coverage Status Plugin 2.2.0 and earlier stores the GitHub Personal Access Token, Sonar access token and Sonar password unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

Remediation

References

https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-2767

Related Vulnerabilities

CVE-2020-13935 Vulnerability in maven package org.apache.tomcat:tomcat-coyote

CVE-2020-1957 Vulnerability in maven package org.apache.shiro:shiro-web

CVE-2021-45456 Vulnerability in maven package org.apache.kylin:kylin-server-base

CVE-2011-1475 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core

CVE-2017-7661 Vulnerability in maven package org.apache.cxf.fediz:fediz-jetty9

Severity

Medium

Classification

CWE-312 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory