CVE-2024-34147 - Vulnerability Details - OpenCVE

Jenkins Telegram Bot Plugin 1.4.0 and earlier stores the Telegram Bot token unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00055.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Jenkins	Jenkins-telegram-bot Telegram Bot

Configuration 1 [-]

cpe:2.3:a:jenkins:telegram_bot:*:*:*:*:*:jenkins:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2024-1539	Jenkins Telegram Bot Plugin 1.4.0 and earlier stores the Telegram Bot token unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.
Github GHSA	GHSA-94pr-w968-h923	Jenkins Telegram Bot Plugin stores the Telegram Bot token in plaintext

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2024/05/02/3
https://www.jenkins.io/security/advisory/2024-05-02/#SECURITY-3294

History

Fri, 10 Oct 2025 15:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Jenkins telegram Bot
CPEs		cpe:2.3:a:jenkins:telegram_bot::::::jenkins::*
Vendors & Products		Jenkins telegram Bot

Thu, 13 Feb 2025 18:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Jenkins Jenkins jenkins-telegram-bot
CPEs		cpe:2.3:a:jenkins:jenkins-telegram-bot:-:::::::*
Vendors & Products		Jenkins Jenkins jenkins-telegram-bot
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: jenkins

Published: 2024-05-02T13:28:05.238Z

Updated: 2025-02-13T17:52:26.471Z

Reserved: 2024-04-30T20:53:08.612Z

Link: CVE-2024-34147

Vulnrichment

Updated: 2024-08-02T02:51:09.825Z

NVD

Status : Analyzed

Published: 2024-05-02T14:15:10.447

Modified: 2025-10-10T15:34:45.500

Link: CVE-2024-34147

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-34147", "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "state": "PUBLISHED", "assignerShortName": "jenkins", "dateReserved": "2024-04-30T20:53:08.612Z", "datePublished": "2024-05-02T13:28:05.238Z", "dateUpdated": "2025-02-13T17:52:26.471Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2024-05-02T13:30:11.906Z"}, "affected": [{"vendor": "Jenkins Project", "product": "Jenkins Telegram Bot Plugin", "versions": [{"version": "0", "versionType": "maven", "lessThanOrEqual": "1.4.0", "status": "affected"}], "defaultStatus": "unknown"}], "descriptions": [{"lang": "en", "value": "Jenkins Telegram Bot Plugin 1.4.0 and earlier stores the Telegram Bot token unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system."}], "references": [{"name": "Jenkins Security Advisory 2024-05-02", "url": "https://www.jenkins.io/security/advisory/2024-05-02/#SECURITY-3294", "tags": ["vendor-advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/05/02/3"}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-34147", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-02T16:59:23.628441Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:jenkins:jenkins-telegram-bot:-:*:*:*:*:*:*:*"], "vendor": "jenkins", "product": "jenkins-telegram-bot", "versions": [{"status": "affected", "version": "-"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-522", "description": "CWE-522 Insufficiently Protected Credentials"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:41:24.679Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:51:09.825Z"}, "title": "CVE Program Container", "references": [{"name": "Jenkins Security Advisory 2024-05-02", "url": "https://www.jenkins.io/security/advisory/2024-05-02/#SECURITY-3294", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/05/02/3", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.jenkins.io/security/advisory/2024-05-02/#SECURITY-3294", "name": "Jenkins Security Advisory 2024-05-02", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/05/02/3", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:51:09.825Z"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-34147", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-02T16:59:23.628441Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:jenkins:jenkins-telegram-bot:-:*:*:*:*:*:*:*"], "vendor": "jenkins", "product": "jenkins-telegram-bot", "versions": [{"status": "affected", "version": "-"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-522", "description": "CWE-522 Insufficiently Protected Credentials"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-02T16:59:12.468Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"affected": [{"vendor": "Jenkins Project", "product": "Jenkins Telegram Bot Plugin", "versions": [{"status": "affected", "version": "0", "versionType": "maven", "lessThanOrEqual": "1.4.0"}], "defaultStatus": "unknown"}], "references": [{"url": "https://www.jenkins.io/security/advisory/2024-05-02/#SECURITY-3294", "name": "Jenkins Security Advisory 2024-05-02", "tags": ["vendor-advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/05/02/3"}], "descriptions": [{"lang": "en", "value": "Jenkins Telegram Bot Plugin 1.4.0 and earlier stores the Telegram Bot token unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system."}], "providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2024-05-02T13:30:11.906Z"}}}, "cveMetadata": {"cveId": "CVE-2024-34147", "state": "PUBLISHED", "dateUpdated": "2025-02-13T17:52:26.471Z", "dateReserved": "2024-04-30T20:53:08.612Z", "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "datePublished": "2024-05-02T13:28:05.238Z", "assignerShortName": "jenkins"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:telegram_bot:*:*:*:*:*:jenkins:*:*", "matchCriteriaId": "C8F3948F-0C0A-4FD8-B6D8-6B8D2738DB98", "versionEndIncluding": "1.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Jenkins Telegram Bot Plugin 1.4.0 and earlier stores the Telegram Bot token unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system."}, {"lang": "es", "value": "Jenkins Telegram Bot Plugin 1.4.0 y versiones anteriores almacenan el token de Telegram Bot sin cifrar en su archivo de configuraci\u00f3n global en el controlador de Jenkins, donde los usuarios con acceso al sistema de archivos del controlador de Jenkins pueden verlo."}], "id": "CVE-2024-34147", "lastModified": "2025-10-10T15:34:45.500", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-05-02T14:15:10.447", "references": [{"source": "jenkinsci-cert@googlegroups.com", "tags": ["Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2024/05/02/3"}, {"source": "jenkinsci-cert@googlegroups.com", "tags": ["Vendor Advisory"], "url": "https://www.jenkins.io/security/advisory/2024-05-02/#SECURITY-3294"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2024/05/02/3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.jenkins.io/security/advisory/2024-05-02/#SECURITY-3294"}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}