Description

Jenkins GitHub Pull Request Coverage Status Plugin 2.2.0 and earlier stores the GitHub Personal Access Token, Sonar access token and Sonar password unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

Remediation

References

https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-2767

Related Vulnerabilities

CVE-2021-21277 Vulnerability in maven package org.webjars.npm:angular-expressions

CVE-2022-34205 Vulnerability in maven package org.jenkins-ci.plugins:jianliao

CVE-2018-1000997 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2022-38369 Vulnerability in maven package org.apache.iotdb:iotdb-server

CVE-2022-39249 Vulnerability in npm package matrix-js-sdk

Severity

Medium

Classification

CWE-312 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory