PT-2018-5169 · Jenkins · Jenkins Build-Publisher Plugin+1

Steve Marlowe

Published

2018-01-26

Updated

2022-05-13

CVE-2017-1000387

CVSS v3.1

7.8

High

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Jenkins Build-Publisher plugin versions 1.21 and earlier

Description The Jenkins Build-Publisher plugin stores credentials to other Jenkins instances in the file hudson.plugins.build publisher.BuildPublisher.xml in the Jenkins master home directory. These credentials are stored unencrypted, allowing anyone with local file system access to access them. Additionally, the credentials are transmitted in plain text as part of the configuration form, which could result in exposure through browser extensions, cross-site scripting vulnerabilities, and similar situations.

Recommendations For Jenkins Build-Publisher plugin versions 1.21 and earlier, update to version 1.22 or later, which encrypts the credentials on disk and only transmits their encrypted form to users viewing the configuration form.

Fix

Insufficiently Protected Credentials

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-522

Related Identifiers

CVE-2017-1000387

GHSA-M3WV-FR8V-FMH7

Affected Products

Jenkins

Jenkins Build-Publisher Plugin

PT-2018-5169 · Jenkins · Jenkins Build-Publisher Plugin+1

CVE-2017-1000387

Weakness Enumeration

Related Identifiers

Affected Products

References · 5