CVE-2023-50772 – com.zintow:dingding-json-pusher

Package

Manager: maven
Name: com.zintow:dingding-json-pusher
Vulnerable Version: >=0 <=2.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00024 pctl0.0481

Details

Tokens stored in plain text by Dingding JSON Pusher Plugin Jenkins Dingding JSON Pusher Plugin 2.0 and earlier stores access tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Metadata

Created: 2023-12-13T18:31:04Z
Modified: 2023-12-18T18:39:24Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-wjr6-v4c7-8cv6/GHSA-wjr6-v4c7-8cv6.json
CWE IDs: ["CWE-312"]
Alternative ID: GHSA-wjr6-v4c7-8cv6
Finding: F020
Auto approve: 1