CVE-2018-1000142

Name of the Vulnerable Software and Affected Versions Jenkins GitHub Pull Request Builder Plugin versions 1.39.0 and older

Description An exposure of sensitive information issue exists in the Jenkins GitHub Pull Request Builder Plugin that allows an attacker with local file system access to obtain GitHub credentials. The issue is related to the GhprbCause.java file. Builds started before the plugin was updated will retain the encoded credentials on disk.

Recommendations For Jenkins GitHub Pull Request Builder Plugin versions 1.39.0 and older, update to version 1.40.0 or newer, as it no longer stores serialized objects containing the credential on disk. Additionally, revoke old GitHub credentials used in Jenkins. Use the provided script in the Script Console to attempt to remove old stored credentials from build.xml files.