PT-2018-9465 · Jenkins · Jenkins Configuration As Code Plugin+1

Published

2018-06-26

Updated

2022-05-13

CVE-2018-1000610

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Jenkins Configuration as Code Plugin versions 0.7-alpha and earlier

Description A sensitive information exposure issue exists that allows attackers with access to Jenkins log files to obtain passwords configured using the plugin. This is due to the exposure in DataBoundConfigurator.java, Attribute.java, BaseConfigurator.java, and ExtensionConfigurator.java.

Recommendations For Jenkins Configuration as Code Plugin versions 0.7-alpha and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

Insufficiently Protected Credentials

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-522

Related Identifiers

CVE-2018-1000610

GHSA-8486-H39X-CX2F

Affected Products

Jenkins

Jenkins Configuration As Code Plugin

PT-2018-9465 · Jenkins · Jenkins Configuration As Code Plugin+1

CVE-2018-1000610

Weakness Enumeration

Related Identifiers

Affected Products

References · 4