CVE-2023-50772: 
Java vulnerability analysis and mitigation

Jenkins Dingding JSON Pusher Plugin version 2.0 and earlier contains a security vulnerability (CVE-2023-50772) that was disclosed on December 13, 2023. The vulnerability affects the storage of access tokens in the plugin's configuration files. The affected component is the Dingding JSON Pusher Plugin for Jenkins, which is used for integration with the Dingding messaging platform (Jenkins Advisory, NVD).

The vulnerability stems from the plugin storing access tokens unencrypted in job config.xml files on the Jenkins controller. These tokens are stored as part of its configuration and can be accessed by users who have either Item/Extended Read permission or access to the Jenkins controller file system. The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (MEDIUM) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, indicating a low-complexity attack requiring low privileges (NVD).

The primary impact of this vulnerability is the potential exposure of sensitive access tokens. Users with Item/Extended Read permission or those who can access the Jenkins controller file system can view these unencrypted tokens. This could lead to unauthorized access to Dingding services or other connected systems using the exposed credentials (Jenkins Advisory).

As of the publication of the security advisory, there is no fix available for this vulnerability. The Jenkins security team has acknowledged the issue but has not released a patched version (Jenkins Advisory, OSS Security).

The vulnerability was discovered and reported by Andrea Chiera from CloudBees, Inc., as part of a broader security audit of Jenkins plugins. The Jenkins project has publicly acknowledged this contribution in their security advisory (Jenkins Advisory).