CVE-2020-2297 – com.hoiio.jenkins:sms

Package

Manager: maven
Name: com.hoiio.jenkins:sms
Vulnerable Version: >=0 <=1.2

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.0001 pctl0.00839

Details

Access token stored in plain text by Jenkins SMS Notification Plugin Jenkins SMS Notification Plugin 1.2 and earlier stores an access token unencrypted in its global configuration file `com.hoiio.jenkins.plugin.SMSNotification.xml` on the Jenkins controller as part of its configuration. This access token can be viewed by users with access to the Jenkins controller file system.

Metadata

Created: 2022-05-24T17:30:19Z
Modified: 2023-10-27T11:55:13Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-vwfv-qpw8-83c7/GHSA-vwfv-qpw8-83c7.json
CWE IDs: ["CWE-522"]
Alternative ID: GHSA-vwfv-qpw8-83c7
Finding: F035
Auto approve: 1