CVE-2024-34147

Name of the Vulnerable Software and Affected Versions Jenkins Telegram Bot Plugin versions 1.4.0 and earlier

Description The issue concerns the storage of the Telegram Bot token in an unencrypted manner within the global configuration file on the Jenkins controller. This file can be accessed by users with permission to the Jenkins controller file system, potentially exposing the token. The configuration file in question is jenkinsci.plugins.telegrambot.TelegramBotGlobalConfiguration.xml. There is no information provided about the estimated number of potentially affected devices or real-world incidents related to this issue.

Recommendations For Jenkins Telegram Bot Plugin versions 1.4.0 and earlier, as a temporary workaround, consider restricting access to the jenkinsci.plugins.telegrambot.TelegramBotGlobalConfiguration.xml file to minimize the risk of token exposure. At the moment, there is no information about a newer version that contains a fix for this vulnerability.