Jenkins Zoom Plugin is Missing Password Field Masking

Description

Missing password field masking in the Zoom Jenkins Marketplace plugin before version 1.6 may allow an unauthenticated user to conduct a disclosure of information via adjacent network access.

Basic information

Type
reviewed
Severity
low
Advisory on GitHub
Open advisory ↗
Repository advisory
Source code
Browse source ↗
Published (advisory)
2025-02-04 00:32:03 UTC
Updated
2025-03-13 19:19:19 UTC
GitHub reviewed
2025-03-13 19:19:18 UTC
NVD published
2025-02-03

EPSS Score

Score Percentile
0.12% 30.86%

CVSS Scores

Base score Version Severity Vector
2.6 3.1
CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N Click to expand
Attack vector (AV:A)
Attacker has to be nearby on the network—same office, same link, that vibe—not the whole wide internet.
Attack complexity (AC:H)
Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:R)
A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:L)
Some sensitive info could get out, but not a total data dump.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:N)
Service keeps running; no real outage angle.

Identifiers

CWEs

CWE id Name
CWE-549 Missing Password Field Masking

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
maven io.jenkins.plugins:zoom < 1.6 1.6

References

cvelogic Threat Intelligence