Description

Jenkins Dingding JSON Pusher Plugin 2.0 and earlier does not mask access tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them.

Remediation

References

http://www.openwall.com/lists/oss-security/2023/12/13/4

https://www.jenkins.io/security/advisory/2023-12-13/#SECURITY-3184

Related Vulnerabilities

CVE-2019-1003031 Vulnerability in maven package org.jenkins-ci.plugins:matrix-project

CVE-2020-13931 Vulnerability in maven package org.apache.tomee:openejb-core

CVE-2023-29520 Vulnerability in maven package org.xwiki.platform:xwiki-platform-localization-source-wiki

CVE-2020-17519 Vulnerability in maven package org.apache.flink:flink-runtime_2.12

CVE-2019-1003032 Vulnerability in maven package org.jenkins-ci.plugins:email-ext

Severity

Medium

Classification

CWE-312 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Mailing List Vendor Advisory