CVE-2018-1000418

Name of the Vulnerable Software and Affected Versions Jenkins HipChat Plugin versions 2.2.0 and earlier

Description An improper authorization issue exists in the Jenkins HipChat Plugin, specifically in HipChatNotifier.java, allowing attackers with Overall/Read access to send test notifications to a specified HipChat server using attacker-specified credentials IDs. This could potentially capture credentials stored in Jenkins.

Recommendations For Jenkins HipChat Plugin versions 2.2.0 and earlier, update to version 2.2.1 or later, which requires POST requests and Overall/Administer permissions for the form validation method, thereby mitigating the issue.