Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1nd3htLXdxcHEtdzUzOc4AAWxM
Jenkins Email Extension Plugin showed plain text SMTP password in configuration form field
An exposure of sensitive information vulnerability exists in Jenkins Email Extension Plugin 2.61 and older in src/main/resources/hudson/plugins/emailext/ExtendedEmailPublisher/global.groovy and ExtendedEmailPublisherDescriptor.java that allows attackers with control of a Jenkins administrator's web browser (e.g. malicious extension) to retrieve the configured SMTP password.
Permalink: https://github.com/advisories/GHSA-gwxm-wqpq-w539JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nd3htLXdxcHEtdzUzOc4AAWxM
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 3 months ago
CVSS Score: 6.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-gwxm-wqpq-w539, CVE-2018-1000176
References:
- https://nvd.nist.gov/vuln/detail/CVE-2018-1000176
- https://jenkins.io/security/advisory/2018-04-16/
- https://github.com/advisories/GHSA-gwxm-wqpq-w539
Affected Packages
maven:org.jenkins-ci.plugins:email-ext
Affected Version Ranges: <= 2.61Fixed in: 2.62