PT-2018-9346 · Jenkins · Jenkins Email Extension Plugin+1

Matthias Nodeland

Published

2018-05-08

Updated

2022-05-14

CVE-2018-1000176

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Jenkins Email Extension Plugin versions 2.61 and older

Description The issue allows attackers with control of a Jenkins administrator's web browser to retrieve the configured SMTP password due to an exposure of sensitive information. This can occur when an attacker has control over a Jenkins administrator's web browser, for example, through a malicious extension.

Recommendations For Jenkins Email Extension Plugin versions 2.61 and older, update to a version newer than 2.61 to resolve the issue. As a temporary workaround, consider restricting access to the global.groovy and ExtendedEmailPublisherDescriptor.java files to minimize the risk of exploitation. Avoid using the Jenkins Email Extension Plugin with a Jenkins administrator's web browser that may be controlled by an attacker until the issue is resolved.

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

CVE-2018-1000176

GHSA-GWXM-WQPQ-W539

Affected Products

Jenkins

Jenkins Email Extension Plugin

PT-2018-9346 · Jenkins · Jenkins Email Extension Plugin+1

CVE-2018-1000176

Weakness Enumeration

Related Identifiers

Affected Products

References · 4