Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS13anI2LXY0YzctOGN2Ns4AA3vh
Tokens stored in plain text by Dingding JSON Pusher Plugin
Jenkins Dingding JSON Pusher Plugin 2.0 and earlier stores access tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
Permalink: https://github.com/advisories/GHSA-wjr6-v4c7-8cv6JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13anI2LXY0YzctOGN2Ns4AA3vh
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 9 months ago
Updated: 9 months ago
CVSS Score: 4.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Identifiers: GHSA-wjr6-v4c7-8cv6, CVE-2023-50772
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-50772
- https://www.jenkins.io/security/advisory/2023-12-13/#SECURITY-3184
- http://www.openwall.com/lists/oss-security/2023/12/13/4
- https://github.com/advisories/GHSA-wjr6-v4c7-8cv6
Affected Packages
maven:com.zintow:dingding-json-pusher
Affected Version Ranges: <= 2.0No known fixed version