Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS04NzZqLTRxNzMtN2Y1Ns4AAW5C
Jenkins GitHub Pull Request Builder Plugin
GitHub Pull Request Builder Plugin stored the webhook secret shared between Jenkins and GitHub in plain text. This allowed users with Jenkins controller local file system access and Jenkins administrators to retrieve the stored password. The latter could result in exposure of the passwords through browser extensions, cross-site scripting vulnerabilities, and similar situations. GitHub Pull Request Builder Plugin 1.32.1 and newer stores the webhook secret encrypted on disk.
Permalink: https://github.com/advisories/GHSA-876j-4q73-7f56JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04NzZqLTRxNzMtN2Y1Ns4AAW5C
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: over 2 years ago
Updated: almost 2 years ago
CVSS Score: 3.1
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
EPSS Percentage: 0.00042
EPSS Percentile: 0.05089
Identifiers: GHSA-876j-4q73-7f56, CVE-2018-1000143
References:
- https://nvd.nist.gov/vuln/detail/CVE-2018-1000143
- https://jenkins.io/security/advisory/2018-03-26/#SECURITY-262
- https://github.com/advisories/GHSA-876j-4q73-7f56
Affected Packages
maven:org.jenkins-ci.plugins:ghprb
Affected Version Ranges: < 1.32.1Fixed in: 1.32.1