CVE-2018-1999036 – org.jenkins-ci.plugins:ssh-agent

Package

Manager: maven
Name: org.jenkins-ci.plugins:ssh-agent
Vulnerable Version: >=0 <1.16

Severity

Level: Low

CVSS v3.1: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00204 pctl0.42673

Details

Jenkins SSH Agent Plugin exposes SSH private key password to users with permission to read the build log An exposure of sensitive information vulnerability exists in Jenkins SSH Agent Plugin 1.15 and earlier in SSHAgentStepExecution.java that exposes the SSH private key password to users with permission to read the build log. As of version 1.16, the plugin no longer logs the ssh-add invocation that would reveal the passphrase.

Metadata

Created: 2022-05-13T01:50:55Z
Modified: 2022-12-12T17:00:02Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-wwgx-94v6-fc2p/GHSA-wwgx-94v6-fc2p.json
CWE IDs: ["CWE-532"]
Alternative ID: GHSA-wwgx-94v6-fc2p
Finding: F009
Auto approve: 1