CVE-2018-1000143 – org.jenkins-ci.plugins:ghprb

Package

Manager: maven
Name: org.jenkins-ci.plugins:ghprb
Vulnerable Version: >=0 <1.32.1

Severity

Level: Low

CVSS v3.1: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.0002 pctl0.03656

Details

Jenkins GitHub Pull Request Builder Plugin GitHub Pull Request Builder Plugin stored the webhook secret shared between Jenkins and GitHub in plain text. This allowed users with Jenkins controller local file system access and Jenkins administrators to retrieve the stored password. The latter could result in exposure of the passwords through browser extensions, cross-site scripting vulnerabilities, and similar situations. GitHub Pull Request Builder Plugin 1.32.1 and newer stores the webhook secret encrypted on disk.

Metadata

Created: 2022-05-14T03:23:44Z
Modified: 2022-12-12T21:08:02Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-876j-4q73-7f56/GHSA-876j-4q73-7f56.json
CWE IDs: ["CWE-200"]
Alternative ID: GHSA-876j-4q73-7f56
Finding: F038
Auto approve: 1