CVE-2022-28135: 
Java vulnerability analysis and mitigation

The instant-messaging Plugin (CVE-2022-28135) is a framework vulnerability discovered in Jenkins that affects plugins integrating with instant messaging services. The vulnerability was disclosed on March 29, 2022, affecting instant-messaging Plugin versions 1.41 and earlier. This security issue was identified with a Low severity CVSS score (Jenkins Advisory).

The vulnerability stems from the plugin storing passwords for group chats in an unencrypted format within the global configuration file of plugins based on instant-messaging Plugin on the Jenkins controller. This plaintext storage of sensitive credentials creates a security risk as these passwords can be accessed by any user with file system access to the Jenkins controller (Jenkins Advisory).

The primary impact of this vulnerability is the potential exposure of group chat passwords to unauthorized users who have access to the Jenkins controller file system. This could lead to unauthorized access to group chat communications and potentially compromise the confidentiality of team discussions (Jenkins Advisory).

The vulnerability has been fixed in instant-messaging Plugin version 1.42. After upgrading to this version, the plugin encrypts passwords for group chats once the integrating plugin's configuration is saved again. Users are advised to update to the latest version to protect their credentials (Jenkins Advisory).

The vulnerability was discovered and reported by Son Nguyen (@s0nnguy3n_), demonstrating the active security research community's involvement in identifying and reporting Jenkins plugin vulnerabilities (Jenkins Advisory).