LOW

SMS Notification Plugin 1.2 and earlier stores an access token unencrypted in its global configuration file com.hoiio.jenkins.plugin.SMSNotification.xml on the Jenkins controller as part of its configuration.
This access token can be viewed by users wi…

couchdb-statistics Plugin 0.3 and earlier stores its server password unencrypted in its global configuration file org.jenkinsci.plugins.couchstats.CouchStatsConfig.xml on the Jenkins controller as part of its configuration.
This password can be viewed …

Jenkins ElasTest Plugin 1.2.1 and earlier stores its server password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.
References

https://nvd.nist….

tfs Plugin 5.157.1 and earlier stores a webhook secret unencrypted in its global configuration file hudson.plugins.tfs.TeamPluginGlobalConfig.xml on the Jenkins controller as part of its configuration. This secret can be viewed by attackers with access…

Parameterized Remote Trigger Plugin 3.1.3 and earlier stores a secret unencrypted in its global configuration file org.jenkinsci.plugins.ParameterizedRemoteTrigger.RemoteBuildConfiguration.xml on the Jenkins controller as part of its configuration. Thi…

Email Extension Plugin stores an SMTP password in its global configuration file hudson.plugins.emailext.ExtendedEmailPublisher.xml on the Jenkins controller as part of its configuration.
While this password is stored encrypted on disk, it is transmitte…

Amazon EC2 Plugin 1.50.1 and earlier does not require POST requests in several HTTP endpoints, resulting in cross-site request forgery (CSRF) vulnerabilities. This allows an attacker to provision instances with an attacker-specified template ID.
Amazon…

Credentials Binding Plugin allows specifying passwords and other secrets as environment variables, and will hide them from console output in builds. As a side effect of the fix for SECURITY-698, $ characters in secrets are escaped to $$. This will then…

Jenkins Artifactory Plugin 3.6.0 and earlier stores Artifactory server passwords in its global configuration file org.jfrog.hudson.ArtifactoryBuilder.xml on the Jenkins controller as part of its configuration.
While the password is stored encrypted on …

Artifactory Plugin 3.5.0 and earlier stores its Artifactory server password in plain text in the global configuration file org.jfrog.hudson.ArtifactoryBuilder.xml. This password can be viewed by users with access to the Jenkins controller file system.
…