Lucene search

GitHub Advisory DatabaseGHSA-WJR6-V4C7-8CV6

HistoryDec 13, 2023 - 6:31 p.m.

Tokens stored in plain text by Dingding JSON Pusher Plugin

2023-12-1318:31:04

CWE-312

GitHub Advisory Database

github.com

dingding json pusher

access tokens

unencrypted storage

job config.xml

jenkins controller

item/extended read permission

file system access

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

AI Score

6.9

Confidence

High

EPSS

Percentile

13.3%

JSON

Jenkins Dingding JSON Pusher Plugin 2.0 and earlier stores access tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Affected configurations

Vulners

Node

com.zintowdingding-json-pusherRange≤2.0

VendorProductVersionCPE
com.zintowdingding-json-pusher*cpe:2.3:a:com.zintow:dingding-json-pusher:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
com.zintow	dingding-json-pusher	*	cpe:2.3:a:com.zintow:dingding-json-pusher::::::::

References

www.openwall.com/lists/oss-security/2023/12/13/4

github.com/advisories/GHSA-wjr6-v4c7-8cv6

nvd.nist.gov/vuln/detail/CVE-2023-50772

www.jenkins.io/security/advisory/2023-12-13/#SECURITY-3184

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

AI Score

6.9

Confidence

High

EPSS

Percentile

13.3%

JSON

Related for GHSA-WJR6-V4C7-8CV6