CVE-2018-1000603

Name of the Vulnerable Software and Affected Versions Jenkins Openstack Cloud Plugin versions 2.35 and earlier

Description A sensitive information exposure issue exists, allowing attackers with Overall/Read access to Jenkins to connect to a specified URL using attacker-specified credentials IDs. This enables the capture of credentials stored in Jenkins and submission of HTTP requests to attacker-specified URLs. The issue is related to several Java files, including BootSource.java, InstancesToRun.java, and others.

Recommendations For Jenkins Openstack Cloud Plugin versions 2.35 and earlier, consider restricting access to sensitive information and credentials until a fix is available. As a temporary workaround, restrict the use of the affected Java files, such as BootSource.java and InstancesToRun.java, to minimize the risk of exploitation.