PT-2018-9314 · Jenkins · Jenkins Github Pull Request Builder Plugin+1
Steve Marlowe
·
Published
2018-04-05
·
Updated
2022-05-14
·
CVE-2018-1000142
CVSS v3.1
4.0
Medium
| Vector | AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Jenkins GitHub Pull Request Builder Plugin versions 1.39.0 and older
Description
An exposure of sensitive information issue exists in the Jenkins GitHub Pull Request Builder Plugin that allows an attacker with local file system access to obtain GitHub credentials. The issue is related to the
GhprbCause.java file. Builds started before the plugin was updated will retain the encoded credentials on disk.Recommendations
For Jenkins GitHub Pull Request Builder Plugin versions 1.39.0 and older, update to version 1.40.0 or newer, as it no longer stores serialized objects containing the credential on disk. Additionally, revoke old GitHub credentials used in Jenkins. Use the provided script in the Script Console to attempt to remove old stored credentials from
build.xml files.Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Github Pull Request Builder Plugin