Description

Jenkins Dingding JSON Pusher Plugin 2.0 and earlier does not mask access tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them.

Remediation

References

https://www.jenkins.io/security/advisory/2023-12-13/#SECURITY-3184

http://www.openwall.com/lists/oss-security/2023/12/13/4

Related Vulnerabilities

CVE-2016-6651 Vulnerability in maven package org.cloudfoundry.identity:cloudfoundry-identity-common

CVE-2022-43413 Vulnerability in maven package org.jenkins-ci.plugins:job-import-plugin

CVE-2023-25653 Vulnerability in maven package org.webjars.npm:node-jose

CVE-2020-1936 Vulnerability in maven package org.apache.ambari:ambari-web

CVE-2018-11040 Vulnerability in maven package org.springframework:spring-web

Severity

Medium

Classification

CWE-312 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Vendor Advisory Mailing List