CVE-2024-34147 – org.jenkins-ci.plugins:telegrambot

Package

Manager: maven
Name: org.jenkins-ci.plugins:telegrambot
Vulnerable Version: >=0 <=1.4.0

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00052 pctl0.16062

Details

Jenkins Telegram Bot Plugin stores the Telegram Bot token in plaintext Jenkins Telegram Bot Plugin 1.4.0 and earlier stores the Telegram Bot token unencrypted in its global configuration file `jenkinsci.plugins.telegrambot.TelegramBotGlobalConfiguration.xml` on the Jenkins controller as part of its configuration. This token can be viewed by users with access to the Jenkins controller file system. As of publication of this advisory, there is no fix.

Metadata

Created: 2024-05-02T15:30:35Z
Modified: 2024-07-03T20:11:35Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-94pr-w968-h923/GHSA-94pr-w968-h923.json
CWE IDs: ["CWE-522"]
Alternative ID: GHSA-94pr-w968-h923
Finding: F035
Auto approve: 1