CVE-2017-1000387

Name of the Vulnerable Software and Affected Versions Jenkins Build-Publisher plugin versions 1.21 and earlier

Description The Jenkins Build-Publisher plugin stores credentials to other Jenkins instances in the file hudson.plugins.build publisher.BuildPublisher.xml in the Jenkins master home directory. These credentials are stored unencrypted, allowing anyone with local file system access to access them. Additionally, the credentials are transmitted in plain text as part of the configuration form, which could result in exposure through browser extensions, cross-site scripting vulnerabilities, and similar situations.

Recommendations For Jenkins Build-Publisher plugin versions 1.21 and earlier, update to version 1.22 or later, which encrypts the credentials on disk and only transmits their encrypted form to users viewing the configuration form.