Jenkins · Jenkins Ssh Agent Plugin · CVE-2018-1999036
**Name of the Vulnerable Software and Affected Versions**
Jenkins SSH Agent Plugin versions 1.15 and earlier
**Description**
An exposure of sensitive information issue exists in the Jenkins SSH Agent Plugin that exposes the SSH private key password to users with permission to read the build log. This occurs due to the logging of the ssh-add invocation in the SSHAgentStepExecution.java file, which reveals the passphrase.
**Recommendations**
For Jenkins SSH Agent Plugin versions 1.15 and earlier, update to version 1.16 or later, as it no longer logs the ssh-add invocation that would reveal the passphrase.