CVE-2018-1000403

Name of the Vulnerable Software and Affected Versions Jenkins AWS CodeDeploy Plugin versions 1.19 and earlier

Description The issue is related to insufficiently protected credentials in the Jenkins AWS CodeDeploy Plugin, specifically in the AWSCodeDeployPublisher.java file, which can lead to credentials disclosure. This can be exploited via local file access. The plugin stores the AWS Secret Key in plain text, making it accessible to users viewing the configuration form.

Recommendations For Jenkins AWS CodeDeploy Plugin versions 1.19 and earlier, update to version 1.20 or later, which stores the AWS Secret Key encrypted in the configuration files on disk and no longer transfers it to users in plain text. After updating, save the configuration for existing jobs to overwrite any existing plain text secret keys.