Dingding[钉钉] Plugin stores credentials in plain text
SECURITY-1423 / CVE-2019-10433Dingding[钉钉] Plugin stores an access token unencrypted in job
config.xml
files on the Jenkins master. This token can be viewed by users with Extended Read permission, or access to the master file system.As of publication of this advisory, there is no fix.
--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/3262bec6-0aea-4cda-a9d5-32bb45c5aa0f%40googlegroups.com.
Regarding the Jira issue portion of the question, I'm guessing that it's likely sitting in a protected issue within the SECURITY project in Jira. Hopefully Daniel Beck (the Jenkins security officer) or one of the security team will see this message and get in touch with further details of the vulnerability
Regarding the Jira issue portion of the question, I'm guessing that it's likely sitting in a protected issue within the SECURITY project in Jira. Hopefully Daniel Beck (the Jenkins security officer) or one of the security team will see this message and get in touch with further details of the vulnerability but guessing if you don't hear anything the you could try firing an email to jenkins...@googlegroups.com which I believe is the security team's private mailing list.Richard.
On Sun, 19 Jan 2020 at 16:35, liuweiGL <liuwe...@gmail.com> wrote:
I want to fix the problem:--Dingding[钉钉] Plugin stores credentials in plain text
SECURITY-1423 / CVE-2019-10433Dingding[钉钉] Plugin stores an access token unencrypted in job
config.xml
files on the Jenkins master. This token can be viewed by users with Extended Read permission, or access to the master file system.As of publication of this advisory, there is no fix.
and how should i do? I can't find the issue from jenkins jira.
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkin...@googlegroups.com.
I had fixed the problem, and i want to close the related jenkins issue but i still can't find it.