Jenkins Dingding JSON Pusher Plugin 2.0 and earlier stores access tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Affected Packages

Maven com.zintow:dingding-json-pusher

Affected versions: 0 (last affected: 2.0)

Related CVEs

CVE-2023-50772

Key Information

GHSA ID

GHSA-wjr6-v4c7-8cv6

Published

December 13, 2023 6:31 PM

Last Modified

December 18, 2023 6:39 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

com.zintow:dingding-json-pusher

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 24, 2025 6:28 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.