GHSA-v3r8-6vfj-pppf

Source

https://github.com/advisories/GHSA-v3r8-6vfj-pppf

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-v3r8-6vfj-pppf/GHSA-v3r8-6vfj-pppf.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-v3r8-6vfj-pppf

Aliases

CVE-2022-34800

Published

2022-07-01T00:01:07Z

Modified

2024-02-16T08:15:48.315950Z

Severity

3.3 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Plaintext Storage of a Password in Jenkins Build Notifications Plugin

Details

Build Notifications Plugin 1.5.0 and earlier stores multiple tokens unencrypted in its global configuration files on the Jenkins controller as part of its configuration:- Pushover Application Token in tools.devnull.jenkins.plugins.buildnotifications.PushoverNotifier.xml\n- Slack Bot Token in tools.devnull.jenkins.plugins.buildnotifications.SlackNotifier.xml\n- Telegram Bot Token in tools.devnull.jenkins.plugins.buildnotifications.TelegramNotifier.xml

Database specific

{
    "nvd_published_at": "2022-06-30T18:15:00Z",
    "severity": "LOW",
    "github_reviewed_at": "2022-07-12T21:25:42Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-256",
        "CWE-522"
    ]
}

References

Affected packages

Maven / tools.devnull:build-notifications

Package

Name: tools.devnull:build-notifications; View open source insights on deps.dev
Purl: pkg:maven/tools.devnull/build-notifications

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

1.5.0

Affected versions

1.*

1.4.2

1.4.3

1.5.0