Bjoern Kasteleiner

**Name of the Vulnerable Software and Affected Versions** Jenkins Email Extension Plugin versions 2.72 through 2.73 **Description** The issue concerns the transmission and display of the SMTP password in plain text as part of the global Jenkins configuration form, potentially resulting in its exposure. The Email Extension Plugin stores the SMTP password in its global configuration file `hudson.plugins.emailext.ExtendedEmailPublisher.xml` on the Jenkins controller. Although the password is stored encrypted on disk, it is transmitted and displayed in plain text in the configuration form by affected versions. **Recommendations** For Jenkins Email Extension Plugin versions 2.72 and 2.73, update to version 2.74 or later, which transmits the SMTP password encrypted and masks it using a password field.