GHSA-wjr6-v4c7-8cv6

Source

https://github.com/advisories/GHSA-wjr6-v4c7-8cv6

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-wjr6-v4c7-8cv6/GHSA-wjr6-v4c7-8cv6.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-wjr6-v4c7-8cv6

Aliases

CVE-2023-50772

Published

2023-12-13T18:31:04Z

Modified

2024-02-16T08:12:37.108008Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Tokens stored in plain text by Dingding JSON Pusher Plugin

Details

Jenkins Dingding JSON Pusher Plugin 2.0 and earlier stores access tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Database specific

{
    "nvd_published_at": "2023-12-13T18:15:44Z",
    "cwe_ids": [
        "CWE-312"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-12-13T19:34:44Z"
}

References

Affected packages

Maven / com.zintow:dingding-json-pusher

Package

Name: com.zintow:dingding-json-pusher; View open source insights on deps.dev
Purl: pkg:maven/com.zintow/dingding-json-pusher

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

2.0

GHSA-wjr6-v4c7-8cv6

Affected packages

Maven / com.zintow:dingding-json-pusher

Package

Affected ranges

Affected versions

1.*

2.*