Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1oNjZwLW03NjYtMzNmds4AASkc
AWS CodeDeploy Plugin stored AWS Secret Key in plain text
Jenkins project Jenkins AWS CodeDeploy Plugin version 1.19 and earlier contains a Insufficiently Protected Credentials vulnerability in AWSCodeDeployPublisher.java that can result in Credentials Disclosure. This attack appears to be exploitable via local file access.
AWS CodeDeploy Plugin 1.20 and newer stores the AWS Secret Key encrypted in the configuration files on disk and no longer transfers it to users viewing the configuration form in plain text. Existing jobs need to have their configuration saved for existing plain text secret keys to be overwritten.
Permalink: https://github.com/advisories/GHSA-h66p-m766-33fvJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1oNjZwLW03NjYtMzNmds4AASkc
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: over 1 year ago
CVSS Score: 7.8
CVSS vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-h66p-m766-33fv, CVE-2018-1000403
References:
- https://nvd.nist.gov/vuln/detail/CVE-2018-1000403
- https://jenkins.io/security/advisory/2018-06-25/#SECURITY-833
- https://github.com/advisories/GHSA-h66p-m766-33fv
Affected Packages
maven:com.amazonaws:codedeploy
Affected Version Ranges: < 1.20Fixed in: 1.20