Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2017-1000387

Jenkins Build-Publisher plugin version 1.21 and earlier stores credentials to other Jenkins instances in the file hudson.plugins.build_publisher.BuildPublisher.xml in the Jenkins master home directory. These credentials were stored unencrypted, allowing anyone with local file system access to access them. Additionally, the credentials were also transmitted in plain text as part of the configuration form. This could result in exposure of the credentials through browser extensions, cross-site scripting vulnerabilities, and similar situations.

Published

2018-01-26T02:29:00.330

Last Modified

2024-11-21T03:04:36.817

Status

Modified

Source

[email protected]

Severity

CVSSv3.0: 7.8 (HIGH)

CVSSv2 Vector

AV:L/AC:L/Au:N/C:P/I:N/A:N

Access Vector: LOCAL
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Exploitability Score

3.9

Impact Score

2.9

Weaknesses

Type: Primary
CWE-522

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	jenkins	build-publisher	≤ 1.21	Yes

References

http://www.securityfocus.com/bid/101544 Third Party Advisory, VDB Entry ([email protected])
https://jenkins.io/security/advisory/2017-10-23/ Vendor Advisory ([email protected])
http://www.securityfocus.com/bid/101544 Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
https://jenkins.io/security/advisory/2017-10-23/ Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)