[JENKINS:SECURITY-2161] Passwords stored in plain text by `instant-messaging`

Severity Low

Affected Packages 2

Fixed Packages 2

CVEs 1

instant-messaging provides a framework for plugins integrating Jenkins with instant messaging services.

instant-messaging 1.41 and earlier stores passwords for group chats unencrypted in the global configuration file of plugins based on instant-messaging on the Jenkins controller.

These passwords can be viewed by users with access to the Jenkins controller file system.

instant-messaging 1.42 stores passwords for group chats encrypted once the integrating plugin's configuration is saved again.

Package	Affected Version
pkg:maven/org.jenkins-ci.plugins/instant-messaging	<= 1.41
pkg:github/jenkinsci/instant-messaging-plugin	<= 1.41

Package	Fixed Version
pkg:maven/org.jenkins-ci.plugins/instant-messaging	= 1.42
pkg:github/jenkinsci/instant-messaging-plugin	= 1.42

ID

JENKINS:SECURITY-2161

Severity

low

Published

2022-03-29T00:00:00
(2 years ago)

Modified

2022-03-29T00:00:00
(2 years ago)

Rights

Jenkins Security Team

Other Advisories

MAVEN:GHSA-HPM9-FX8V-W45V

Source	# ID	Name	URL
Plugin repository		instant-messaging repository	https://github.com/jenkinsci/instant-messaging-plugin

Type	Package URL	Namespace	Name / Product	Version
Affected	pkg:maven/org.jenkins-ci.plugins/instant-messaging	org.jenkins-ci.plugins	instant-messaging	<= 1.41
Fixed	pkg:maven/org.jenkins-ci.plugins/instant-messaging	org.jenkins-ci.plugins	instant-messaging	= 1.42
Affected	pkg:github/jenkinsci/instant-messaging-plugin	jenkinsci	instant-messaging-plugin	<= 1.41
Fixed	pkg:github/jenkinsci/instant-messaging-plugin	jenkinsci	instant-messaging-plugin	= 1.42

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date