CVE-2018-1000142 – org.jenkins-ci.plugins:ghprb

Package

Manager: maven
Name: org.jenkins-ci.plugins:ghprb
Vulnerable Version: >=0 <1.40.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00019 pctl0.03436

Details

Jenkins GitHub Pull Request Builder Plugin allows attacker with local file system access to obtain GitHub credentials An exposure of sensitive information vulnerability exists in Jenkins GitHub Pull Request Builder Plugin version 1.39.0 and older in GhprbCause.java that allows an attacker with local file system access to obtain GitHub credentials. Since 1.40.0, the plugin no longer stores serialized objects containing the credential on disk. Builds started before the plugin was updated to 1.40.0 will retain the encoded credentials on disk. We strongly recommend revoking old GitHub credentials used in Jenkins. We’re providing a script for use in the Script Console that will attempt to remove old stored credentials from build.xml files.

Metadata

Created: 2022-05-14T03:23:44Z
Modified: 2022-12-12T21:06:35Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-hr74-2j5v-ghfv/GHSA-hr74-2j5v-ghfv.json
CWE IDs: ["CWE-200"]
Alternative ID: GHSA-hr74-2j5v-ghfv
Finding: F310
Auto approve: 1