CVE-2018-1000401 – com.amazonaws:aws-codepipeline

Package

Manager: maven
Name: com.amazonaws:aws-codepipeline
Vulnerable Version: >=0 <0.37

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00012 pctl0.01107

Details

Jenkins AWS CodePipeline Plugin has Insufficiently Protected Credentials Jenkins project Jenkins AWS CodePipeline Plugin version 0.36 and earlier contains a Insufficiently Protected Credentials vulnerability in AWSCodePipelineSCM.java that can result in Credentials Disclosure. This attack appear to be exploitable via local file access. This vulnerability appears to have been fixed in 0.37 and later.

Metadata

Created: 2022-05-13T01:48:37Z
Modified: 2022-11-08T12:51:29Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-5gwq-4275-q4qc/GHSA-5gwq-4275-q4qc.json
CWE IDs: ["CWE-522"]
Alternative ID: GHSA-5gwq-4275-q4qc
Finding: F035
Auto approve: 1