CVE-2021-21634 — Passwords stored in plain text by Jenkins Jabber (XMPP) notifier and control Plu

描述

Jenkins Jabber (XMPP) notifier and control Plugin 1.41 and earlier stores passwords unencrypted in its global configuration file `hudson.plugins.jabber.im.transport.JabberPublisher.xml` on the Jenkins controller as part of its configuration. These passwords can be viewed by users with access to the Jenkins controller file system. Jenkins Jabber (XMPP) notifier and control Plugin 1.42 stores passwords encrypted once its configuration is saved again.

如何修補 CVE-2021-21634

要修補 CVE-2021-21634,請將受影響套件升級到下列已修補版本。

—升級至 1.42 或更新版本

CVE-2021-21634 正在被利用嗎?

低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。

受影響套件(1)

from 0, < 1.42

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

參考連結(5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-21634
PATCHgithub.com/jenkinsci/jabber-plugin
WEBgithub.com/jenkinsci/jabber-plugin/commit/67882cfd189d6d05ad39e043edbfbf079dc37677
WEBwww.jenkins.io/security/advisory/2021-03-30/#SECURITY-2162