Homepage
About Snyk

Credential Exposure Affecting org.jenkins-ci.plugins:build-publisher package, versions [,1.22)

0.0
high

Snyk CVSS

    Attack Complexity Low
    Confidentiality High
    Integrity High
    Availability High

    Threat Intelligence

    EPSS 0.04% (12th percentile)
Expand this section
NVD
7.8 high

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JAVA-ORGJENKINSCIPLUGINS-32180
  • published 9 Apr 2018
  • disclosed 23 Oct 2017
  • credit Steve Marlowe
Report a new vulnerability Found a mistake?

Introduced: 23 Oct 2017

CVE-2017-1000387 Open this link in a new tab
CWE-255 Open this link in a new tab

How to fix?

Upgrade org.jenkins-ci.plugins:build-publisher to version 1.22 or higher.

Overview

org.jenkins-ci.plugins:build-publisher is a Jenkins build-publisher plugin.

Affected versions of this package are vulnerable to Insufficiently Protected Credentials. It stores credentials to other Jenkins instances in the hudson.plugins.build_publisher.BuildPublisher.xml file in the Jenkins master home directory. These credentials were stored unencrypted, allowing anyone with local file system access to access them. Additionally, the credentials were also transmitted in plain text as part of the configuration form. This could result in exposure of the credentials through browser extensions, cross-site scripting vulnerabilities, and similar situations.