Jenkins · Jenkins Email Extension Plugin · CVE-2018-1000176
**Name of the Vulnerable Software and Affected Versions**
Jenkins Email Extension Plugin versions 2.61 and older
**Description**
The issue allows attackers with control of a Jenkins administrator's web browser to retrieve the configured SMTP password due to an exposure of sensitive information. This can occur when an attacker has control over a Jenkins administrator's web browser, for example, through a malicious extension.
**Recommendations**
For Jenkins Email Extension Plugin versions 2.61 and older, update to a version newer than 2.61 to resolve the issue. As a temporary workaround, consider restricting access to the `global.groovy` and `ExtendedEmailPublisherDescriptor.java` files to minimize the risk of exploitation. Avoid using the Jenkins Email Extension Plugin with a Jenkins administrator's web browser that may be controlled by an attacker until the issue is resolved.