CVE-2021-21634 – org.jvnet.hudson.plugins:jabber

Package

Manager: maven
Name: org.jvnet.hudson.plugins:jabber
Vulnerable Version: >=0 <1.42

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00047 pctl0.14107

Details

Passwords stored in plain text by Jenkins Jabber (XMPP) notifier and control Plugin Jenkins Jabber (XMPP) notifier and control Plugin 1.41 and earlier stores passwords unencrypted in its global configuration file `hudson.plugins.jabber.im.transport.JabberPublisher.xml` on the Jenkins controller as part of its configuration. These passwords can be viewed by users with access to the Jenkins controller file system. Jenkins Jabber (XMPP) notifier and control Plugin 1.42 stores passwords encrypted once its configuration is saved again.

Metadata

Created: 2022-05-24T17:45:47Z
Modified: 2023-10-27T14:16:19Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-79r5-rhrw-7pvh/GHSA-79r5-rhrw-7pvh.json
CWE IDs: ["CWE-522"]
Alternative ID: GHSA-79r5-rhrw-7pvh
Finding: F035
Auto approve: 1