CVE-2018-1999041

Name of the Vulnerable Software and Affected Versions Jenkins Tinfoil Security Plugin versions 1.6.1 and earlier

Description An exposure of sensitive information issue exists that allows attackers with file system access to the Jenkins master to obtain the API secret key stored in the plugin's configuration, specifically in TinfoilScanRecorder.java.

Recommendations For Jenkins Tinfoil Security Plugin versions 1.6.1 and earlier, consider restricting file system access to the Jenkins master to minimize the risk of exploitation. As a temporary workaround, restrict access to the TinfoilScanRecorder.java component until a patch is available.