CVE-2017-1000245

CWE-522 — Insufficiently Protected Credentials5 documents5 sources

Severity

9.8CRITICAL

EPSS

0.1%

top 80.84%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins SSH

Timeline

PublishedNov 1

Latest updateMay 13

Description

The SSH Plugin stores credentials which allow jobs to access remote servers via the SSH protocol. User passwords and passphrases for encrypted SSH keys are stored in plaintext in a configuration file.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶Mavenorg.jenkins-ci.plugins:ssh< 2.5

▶Mavenorg.jvnet.hudson.plugins:ssh2.3

▶NVDjenkins/ssh2.4

🔴Vulnerability Details

OSV

Jenkins SSH Plugin user passwords for encrypted SSH keys stored in plaintext↗2022-05-13

▶

GHSA

Jenkins SSH Plugin user passwords for encrypted SSH keys stored in plaintext↗2022-05-13

▶

CVEList

CVE-2017-1000245: The SSH Plugin stores credentials which allow jobs to access remote servers via the SSH protocol↗2017-11-01

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2017-07-10↗2017-07-10

▶