PT-2018-9397 · Jenkins · Jenkins Aws Codedeploy Plugin+1

Viktor Gazdag

Published

2018-07-09

Updated

2022-05-13

CVE-2018-1000403

CVSS v3.1

7.8

High

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Jenkins AWS CodeDeploy Plugin versions 1.19 and earlier

Description The issue is related to insufficiently protected credentials in the Jenkins AWS CodeDeploy Plugin, specifically in the AWSCodeDeployPublisher.java file, which can lead to credentials disclosure. This can be exploited via local file access. The plugin stores the AWS Secret Key in plain text, making it accessible to users viewing the configuration form.

Recommendations For Jenkins AWS CodeDeploy Plugin versions 1.19 and earlier, update to version 1.20 or later, which stores the AWS Secret Key encrypted in the configuration files on disk and no longer transfers it to users in plain text. After updating, save the configuration for existing jobs to overwrite any existing plain text secret keys.

Fix

Insufficiently Protected Credentials

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-522

Related Identifiers

CVE-2018-1000403

GHSA-H66P-M766-33FV

Affected Products

Jenkins

Jenkins Aws Codedeploy Plugin

PT-2018-9397 · Jenkins · Jenkins Aws Codedeploy Plugin+1

CVE-2018-1000403

Weakness Enumeration

Related Identifiers

Affected Products

References · 5