Description

Jenkins GitHub Pull Request Coverage Status Plugin 2.2.0 and earlier stores the GitHub Personal Access Token, Sonar access token and Sonar password unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

Remediation

References

https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-2767

Related Vulnerabilities

CVE-2018-8319 Vulnerability in npm package msrcrypto

CVE-2012-0394 Vulnerability in maven package org.apache.struts:struts2-core

CVE-2017-7677 Vulnerability in maven package org.apache.ranger:ranger

CVE-2021-1628 Vulnerability in maven package org.mule.runtime:mule-core

CVE-2021-21162 Vulnerability in maven package org.webjars.npm:electron

Severity

Medium

Classification

CWE-312 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory