Credential Exposure Affecting org.jenkins-ci.plugins:build-publisher package, versions [,1.22)
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGJENKINSCIPLUGINS-32180
- published 9 Apr 2018
- disclosed 23 Oct 2017
- credit Steve Marlowe
Introduced: 23 Oct 2017
CVE-2017-1000387 Open this link in a new tabHow to fix?
Upgrade org.jenkins-ci.plugins:build-publisher
to version 1.22 or higher.
Overview
org.jenkins-ci.plugins:build-publisher is a Jenkins build-publisher plugin.
Affected versions of this package are vulnerable to Insufficiently Protected Credentials. It stores credentials to other Jenkins instances in the hudson.plugins.build_publisher.BuildPublisher.xml
file in the Jenkins master home directory. These credentials were stored unencrypted, allowing anyone with local file system access to access them. Additionally, the credentials were also transmitted in plain text as part of the configuration form. This could result in exposure of the credentials through browser extensions, cross-site scripting vulnerabilities, and similar situations.