Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1jZ2hnLWpjdjYtNHY1bc4AASj5
Jenkins Coverity Plugin has Insufficiently Protected Credentials
A plaintext storage of a password vulnerability exists in Jenkins Coverity Plugin 1.10.0 and earlier in CIMInstance.java that allows an attacker with local file system access or control of a Jenkins administrator's web browser (e.g. malicious extension) to retrieve the configured keystore and private key passwords. The Coverity Plugin 1.11.0 integrates with Credentials Plugin to store passwords, and automatically migrates existing passwords.
Permalink: https://github.com/advisories/GHSA-cghg-jcv6-4v5mJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jZ2hnLWpjdjYtNHY1bc4AASj5
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: almost 2 years ago
Updated: 4 months ago
CVSS Score: 2.7
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
Identifiers: GHSA-cghg-jcv6-4v5m, CVE-2018-1000104
References:
- https://nvd.nist.gov/vuln/detail/CVE-2018-1000104
- https://jenkins.io/security/advisory/2018-02-26/#SECURITY-260
- https://github.com/jenkinsci/coverity-plugin/commit/34b7c2b07014b8e1e708361170146600db172491
- https://github.com/advisories/GHSA-cghg-jcv6-4v5m
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.plugins:coverity
Affected Version Ranges: <= 1.10.0Fixed in: 1.11.0