{"id":"CVE-2022-28135","details":"Jenkins instant-messaging Plugin 1.41 and earlier stores passwords for group chats unencrypted in the global configuration file of plugins based on Jenkins instant-messaging Plugin on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.","aliases":["GHSA-hpm9-fx8v-w45v"],"modified":"2026-04-11T17:20:12.793055Z","published":"2022-03-29T13:15:08.137Z","references":[{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2022/03/29/1"},{"type":"ADVISORY","url":"https://www.jenkins.io/security/advisory/2022-03-29/#SECURITY-2161"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jenkinsci/instant-messaging-plugin","events":[{"introduced":"0"},{"fixed":"e12ce746ed140857fc688ca8f3bc54069c59e3d5"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"1.42"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:jenkins:instant-messaging:*:*:*:*:*:jenkins:*:*"}}],"versions":["instant-messaging-1.17","instant-messaging-1.18","instant-messaging-1.19","instant-messaging-1.20","instant-messaging-1.21","instant-messaging-1.22","instant-messaging-1.23","instant-messaging-1.24","instant-messaging-1.25","instant-messaging-1.26","instant-messaging-1.27","instant-messaging-1.28","instant-messaging-1.30","instant-messaging-1.31","instant-messaging-1.32","instant-messaging-1.33","instant-messaging-1.34","instant-messaging-1.35","instant-messaging-1.37","instant-messaging-1.38","instant-messaging-1.39","instant-messaging-1.40","instant-messaging-1.41"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-28135.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}]}