CVE-2017-1000387

CWE-522Insufficiently Protected Credentials5 documents5 sources
Severity
7.8HIGH
EPSS
0.0%
top 97.86%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Jenkins Build-publisher
Timeline
PublishedJan 26
Latest updateMay 13

Description

Jenkins Build-Publisher plugin version 1.21 and earlier stores credentials to other Jenkins instances in the file hudson.plugins.build_publisher.BuildPublisher.xml in the Jenkins master home directory. These credentials were stored unencrypted, allowing anyone with local file system access to access them. Additionally, the credentials were also transmitted in plain text as part of the configuration form. This could result in exposure of the credentials through browser extensions, cross-site scri

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

🔴Vulnerability Details

3
OSV
Jenkins Build-Publisher plugin has Insufficiently Protected Credentials2022-05-13
GHSA
Jenkins Build-Publisher plugin has Insufficiently Protected Credentials2022-05-13
CVEList
CVE-2017-1000387: Jenkins Build-Publisher plugin version 12018-01-26

📋Vendor Advisories

1
Jenkins
Jenkins Security Advisory 2017-10-232017-10-23
CVE-2017-1000387 (HIGH CVSS 7.8) | Jenkins Build-Publisher plugin vers | cvebase.io