Headline

GHSA-94pr-w968-h923: Jenkins Telegram Bot Plugin stores the Telegram Bot token in plaintext

Jenkins Telegram Bot Plugin 1.4.0 and earlier stores the Telegram Bot token unencrypted in its global configuration file jenkinsci.plugins.telegrambot.TelegramBotGlobalConfiguration.xml on the Jenkins controller as part of its configuration.

This token can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

6 months ago

ghsa

Open in Source

#vulnerability #git #java #maven

Navigation Menu

- Actions
  
  Automate any workflow
- Packages
  
  Host and manage packages
- Security
  
  Find and fix vulnerabilities
- Codespaces
  
  Instant dev environments
- Copilot
  
  Write better code with AI
- Code review
  
  Manage code changes
- Issues
  
  Plan and track work
- Discussions
  
  Collaborate outside of code

- GitHub Sponsors
  
  Fund open source developers

*   The ReadME Project
    
    GitHub community articles

Pricing

Provide feedback

Saved searches****Use saved searches to filter your results more quickly

GitHub Advisory Database
GitHub Reviewed
CVE-2024-34147

Jenkins Telegram Bot Plugin stores the Telegram Bot token in plaintext

Low severity GitHub Reviewed Published May 2, 2024 to the GitHub Advisory Database • Updated May 3, 2024

Package

maven org.jenkins-ci.plugins:telegrambot (Maven)

Affected versions

<= 1.4.0

Description

Published to the GitHub Advisory Database

May 2, 2024

ghsa: Latest News

GHSA-8pmp-678w-c8xx: gitsign may use incorrect Rekor entries during verification

51 minutes ago

ghsa

GHSA-wvv7-wm5v-w2gv: Osmedeus Web Server Vulnerable to Stored XSS, Leading to RCE

1 hour ago

ghsa

GHSA-cc6x-8cc7-9953: OctoPrint has API key access in settings without reauthentication

1 hour ago

ghsa

GHSA-xvxq-g8hw-fx4g: OctoPrint Vulnerable to Reflected XSS in Jinja2 Templates

1 hour ago

ghsa

GHSA-g5vw-3h65-2q3v: Access control vulnerable to user data deletion by anonynmous users

16 hours ago

ghsa