CVE-2018-1000403 – com.amazonaws:codedeploy

Package

Manager: maven
Name: com.amazonaws:codedeploy
Vulnerable Version: >=0 <1.20

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00012 pctl0.01107

Details

AWS CodeDeploy Plugin stored AWS Secret Key in plain text Jenkins project Jenkins AWS CodeDeploy Plugin version 1.19 and earlier contains a Insufficiently Protected Credentials vulnerability in AWSCodeDeployPublisher.java that can result in Credentials Disclosure. This attack appears to be exploitable via local file access. AWS CodeDeploy Plugin 1.20 and newer stores the AWS Secret Key encrypted in the configuration files on disk and no longer transfers it to users viewing the configuration form in plain text. Existing jobs need to have their configuration saved for existing plain text secret keys to be overwritten.

Metadata

Created: 2022-05-13T01:48:37Z
Modified: 2022-07-27T20:57:55Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-h66p-m766-33fv/GHSA-h66p-m766-33fv.json
CWE IDs: ["CWE-522"]
Alternative ID: GHSA-h66p-m766-33fv
Finding: F035
Auto approve: 1