Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1ocjc0LTJqNXYtZ2hmds4AAW4_
Jenkins GitHub Pull Request Builder Plugin allows attacker with local file system access to obtain GitHub credentials
An exposure of sensitive information vulnerability exists in Jenkins GitHub Pull Request Builder Plugin version 1.39.0 and older in GhprbCause.java that allows an attacker with local file system access to obtain GitHub credentials. Since 1.40.0, the plugin no longer stores serialized objects containing the credential on disk. Builds started before the plugin was updated to 1.40.0 will retain the encoded credentials on disk. We strongly recommend revoking old GitHub credentials used in Jenkins. We’re providing a script for use in the Script Console that will attempt to remove old stored credentials from build.xml files.
Permalink: https://github.com/advisories/GHSA-hr74-2j5v-ghfvJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1ocjc0LTJqNXYtZ2hmds4AAW4_
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: almost 2 years ago
CVSS Score: 4.0
CVSS vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Percentage: 0.00042
EPSS Percentile: 0.05089
Identifiers: GHSA-hr74-2j5v-ghfv, CVE-2018-1000142
References:
- https://nvd.nist.gov/vuln/detail/CVE-2018-1000142
- https://jenkins.io/security/advisory/2018-03-26/#SECURITY-261
- https://github.com/advisories/GHSA-hr74-2j5v-ghfv
Affected Packages
maven:org.jenkins-ci.plugins:ghprb
Affected Version Ranges: <= 1.39.0Fixed in: 1.40.0