Lucene search

GitHub Advisory DatabaseGHSA-VWFV-QPW8-83C7

HistoryMay 24, 2022 - 5:30 p.m.

Access token stored in plain text by Jenkins SMS Notification Plugin

2022-05-2417:30:19

CWE-522

GitHub Advisory Database

github.com

2.1 Low

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

3.3 Low

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

0.0004 Low

EPSS

Percentile

12.7%

JSON

Jenkins SMS Notification Plugin 1.2 and earlier stores an access token unencrypted in its global configuration file com.hoiio.jenkins.plugin.SMSNotification.xml on the Jenkins controller as part of its configuration.

This access token can be viewed by users with access to the Jenkins controller file system.

Affected configurations

Vulners

Node

com.hoiio.jenkins\Matchsms

CPENameOperatorVersion
com.hoiio.jenkins:smsle1.2

CPE	Name	Operator	Version
	com.hoiio.jenkins:sms	le	1.2

References

www.openwall.com/lists/oss-security/2020/10/08/5

github.com/advisories/GHSA-vwfv-qpw8-83c7

nvd.nist.gov/vuln/detail/CVE-2020-2297

www.jenkins.io/security/advisory/2020-10-08/#SECURITY-2054

2.1 Low

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

3.3 Low

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

0.0004 Low

EPSS

Percentile

12.7%

JSON

Related for GHSA-VWFV-QPW8-83C7