CVE-2018-1000143

Name of the Vulnerable Software and Affected Versions Jenkins GitHub Pull Request Builder Plugin versions 1.39.0 and older Jenkins GitHub Pull Request Builder Plugin versions prior to 1.32.1

Description A sensitive information exposure issue exists, allowing an attacker with local file system access to obtain GitHub credentials. The GitHub Pull Request Builder Plugin stored the webhook secret shared between Jenkins and GitHub in plain text, which could be retrieved by users with local file system access or Jenkins administrators. This could lead to exposure of passwords through various means, such as browser extensions or cross-site scripting vulnerabilities.

Recommendations For Jenkins GitHub Pull Request Builder Plugin versions 1.39.0 and older, update to version 1.32.1 or newer, which stores the webhook secret encrypted on disk. For Jenkins GitHub Pull Request Builder Plugin versions prior to 1.32.1, update to version 1.32.1 or newer to ensure the webhook secret is stored encrypted.