PT-2019-8729 · Jenkins · Jenkins Hipchat Plugin

Viktor Gazdag

Published

2019-01-09

Updated

2022-05-13

CVE-2018-1000418

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Jenkins HipChat Plugin versions 2.2.0 and earlier

Description An improper authorization issue exists in the Jenkins HipChat Plugin, specifically in HipChatNotifier.java, allowing attackers with Overall/Read access to send test notifications to a specified HipChat server using attacker-specified credentials IDs. This could potentially capture credentials stored in Jenkins.

Recommendations For Jenkins HipChat Plugin versions 2.2.0 and earlier, update to version 2.2.1 or later, which requires POST requests and Overall/Administer permissions for the form validation method, thereby mitigating the issue.

Fix

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863

Related Identifiers

CVE-2018-1000418

GHSA-W3F7-2QFW-348X

Affected Products

Jenkins Hipchat Plugin

PT-2019-8729 · Jenkins · Jenkins Hipchat Plugin

CVE-2018-1000418

Weakness Enumeration

Related Identifiers

Affected Products

References · 6