Matthias Nodeland

**Name of the Vulnerable Software and Affected Versions** Jenkins Email Extension Plugin versions 2.61 and older **Description** The issue allows attackers with control of a Jenkins administrator's web browser to retrieve the configured SMTP password due to an exposure of sensitive information. This can occur when an attacker has control over a Jenkins administrator's web browser, for example, through a malicious extension. **Recommendations** For Jenkins Email Extension Plugin versions 2.61 and older, update to a version newer than 2.61 to resolve the issue. As a temporary workaround, consider restricting access to the `global.groovy` and `ExtendedEmailPublisherDescriptor.java` files to minimize the risk of exploitation. Avoid using the Jenkins Email Extension Plugin with a Jenkins administrator's web browser that may be controlled by an attacker until the issue is resolved.