First published: Thu Jun 30 2022(Updated: )
Build Notifications Plugin 1.5.0 and earlier stores multiple tokens unencrypted in its global configuration files on the Jenkins controller as part of its configuration:- Pushover Application Token in `tools.devnull.jenkins.plugins.buildnotifications.PushoverNotifier.xml`\n- Slack Bot Token in `tools.devnull.jenkins.plugins.buildnotifications.SlackNotifier.xml`\n- Telegram Bot Token in `tools.devnull.jenkins.plugins.buildnotifications.TelegramNotifier.xml`
Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
Affected Software | Affected Version | How to fix |
---|---|---|
Jenkins Build Notifications | <=1.5.0 | |
maven/tools.devnull:build-notifications | <=1.5.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-34800 is a vulnerability in the Jenkins Build Notifications Plugin 1.5.0 and earlier that allows unencrypted tokens to be stored in its global configuration files on the Jenkins controller.
The severity of CVE-2022-34800 is medium with a CVSS score of 4.3.
CVE-2022-34800 affects the Jenkins Build Notifications Plugin by storing unencrypted tokens in its global configuration files.
Users with access to the Jenkins controller file system can exploit the vulnerability in CVE-2022-34800 to view the unencrypted tokens stored in the configuration files.
Yes, a fix for CVE-2022-34800 is available. Users should update to a version of the Jenkins Build Notifications Plugin after 1.5.0 that addresses the vulnerability.