CVE-2018-1000176

Name of the Vulnerable Software and Affected Versions Jenkins Email Extension Plugin versions 2.61 and older

Description The issue allows attackers with control of a Jenkins administrator's web browser to retrieve the configured SMTP password due to an exposure of sensitive information. This can occur when an attacker has control over a Jenkins administrator's web browser, for example, through a malicious extension.

Recommendations For Jenkins Email Extension Plugin versions 2.61 and older, update to a version newer than 2.61 to resolve the issue. As a temporary workaround, consider restricting access to the global.groovy and ExtendedEmailPublisherDescriptor.java files to minimize the risk of exploitation. Avoid using the Jenkins Email Extension Plugin with a Jenkins administrator's web browser that may be controlled by an attacker until the issue is resolved.