Email Extension Plugin stores an SMTP password in its global configuration file `hudson.plugins.emailext.ExtendedEmailPublisher.xml` on the Jenkins controller as part of its configuration.

While this password is stored encrypted on disk, it is transmitted and displayed in plain text as part of the configuration form by Email Extension Plugin 2.72 and 2.73. This can result in exposure of the password.

Email Extension Plugin 2.74 transmits the SMTP password in its global configuration encrypted and masks it using a password field.

Affected Packages

Maven org.jenkins-ci.plugins:email-ext

Affected versions: 2.72 (fixed in 2.74)

Related CVEs

CVE-2020-2232

Key Information

GHSA ID

GHSA-5c4v-vh95-c67c

Published

May 24, 2022 5:25 PM

Last Modified

December 20, 2022 8:29 PM

CVSS Score

2.5 /10

Primary Ecosystem

Maven

Primary Package

org.jenkins-ci.plugins:email-ext

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 4, 2025 6:27 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.