Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS04NzZqLTRxNzMtN2Y1Ns4AAW5C

Jenkins GitHub Pull Request Builder Plugin

GitHub Pull Request Builder Plugin stored the webhook secret shared between Jenkins and GitHub in plain text. This allowed users with Jenkins controller local file system access and Jenkins administrators to retrieve the stored password. The latter could result in exposure of the passwords through browser extensions, cross-site scripting vulnerabilities, and similar situations. GitHub Pull Request Builder Plugin 1.32.1 and newer stores the webhook secret encrypted on disk.

Permalink: https://github.com/advisories/GHSA-876j-4q73-7f56
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04NzZqLTRxNzMtN2Y1Ns4AAW5C
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: about 2 years ago
Updated: over 1 year ago


CVSS Score: 3.1
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

Identifiers: GHSA-876j-4q73-7f56, CVE-2018-1000143
References: Blast Radius: 1.0

Affected Packages

maven:org.jenkins-ci.plugins:ghprb
Affected Version Ranges: < 1.32.1
Fixed in: 1.32.1