PT-2018-9283 · Jenkins · Jenkins Coverity Plugin+1

Steve Marlowe

Published

2018-03-13

Updated

2022-05-13

CVE-2018-1000104

CVSS v3.1

2.7

Low

Vector

AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions: Jenkins Coverity Plugin versions 1.10.0 and earlier

Description: A plaintext storage of a password issue exists in CIMInstance.java, allowing an attacker with local file system access or control of a Jenkins administrator's web browser to retrieve the configured keystore and private key passwords.

Recommendations: For Jenkins Coverity Plugin versions 1.10.0 and earlier, update to version 1.11.0, which integrates with Credentials Plugin to securely store passwords and automatically migrates existing passwords.

Fix

Insufficiently Protected Credentials

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-522

Related Identifiers

CVE-2018-1000104

GHSA-CGHG-JCV6-4V5M

Affected Products

Jenkins

Jenkins Coverity Plugin

PT-2018-9283 · Jenkins · Jenkins Coverity Plugin+1

CVE-2018-1000104

Weakness Enumeration

Related Identifiers

Affected Products

References · 6