WEB APPLICATION VULNERABILITIES SCA (Software Composition Analysis)

CVE-2023-50772 Vulnerability in maven package com.zintow:dingding-json-pusher

Description

Jenkins Dingding JSON Pusher Plugin 2.0 and earlier stores access tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Remediation

References

http://www.openwall.com/lists/oss-security/2023/12/13/4

https://www.jenkins.io/security/advisory/2023-12-13/#SECURITY-3184

Related Vulnerabilities

CVE-2022-46907 Vulnerability in maven package org.apache.jspwiki:jspwiki-war

CVE-2021-40865 Vulnerability in maven package org.apache.storm:storm-server

CVE-2022-46684 Vulnerability in maven package com.checkmarx.jenkins:checkmarx

CVE-2021-21348 Vulnerability in maven package com.thoughtworks.xstream:xstream

CVE-2021-25329 Vulnerability in maven package org.apache.tomcat:tomcat-catalina

Severity

Medium

Classification

CWE-312 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Mailing List Vendor Advisory