Jenkins · Jenkins Telegram Bot Plugin · CVE-2024-34147
**Name of the Vulnerable Software and Affected Versions**
Jenkins Telegram Bot Plugin versions 1.4.0 and earlier
**Description**
The issue concerns the storage of the Telegram Bot token in an unencrypted manner within the global configuration file on the Jenkins controller. This file can be accessed by users with permission to the Jenkins controller file system, potentially exposing the token. The configuration file in question is `jenkinsci.plugins.telegrambot.TelegramBotGlobalConfiguration.xml`. There is no information provided about the estimated number of potentially affected devices or real-world incidents related to this issue.
**Recommendations**
For Jenkins Telegram Bot Plugin versions 1.4.0 and earlier, as a temporary workaround, consider restricting access to the `jenkinsci.plugins.telegrambot.TelegramBotGlobalConfiguration.xml` file to minimize the risk of token exposure. At the moment, there is no information about a newer version that contains a fix for this vulnerability.