CVE-2018-1000192 — Sensitive Information Exposure in Jenkins

CWE-200 — Sensitive Information Exposure8 documents7 sources

Severity

4.3MEDIUMNVD

EPSS

0.5%

top 34.93%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Oracle Communications Cloud Native Core Automated Test Suite

Timeline

PublishedJun 5

Latest updateMay 13

Description

A information exposure vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in AboutJenkins.java, ListPluginsCommand.java that allows users with Overall/Read access to enumerate all installed plugins.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶NVDjenkins/jenkins2.120+1

▶NVDoracle/communications_cloud_native_core_automated_test_suite1.9.0

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

Exposure of Sensitive Information to an Unauthorized Actor in Jenkins↗2022-05-13

▶

OSV

Exposure of Sensitive Information to an Unauthorized Actor in Jenkins↗2022-05-13

▶

CVEList

CVE-2018-1000192: A information exposure vulnerability exists in Jenkins 2↗2018-06-05

▶

📋Vendor Advisories

Red Hat

jenkins: CLI and UI allow non-admin users to enumerate installed plugins (SECURITY-771)↗2018-05-09

▶

Jenkins

Jenkins Security Advisory 2018-05-09↗2018-05-09

▶

💬Community

Bugzilla

CVE-2018-1000192 jenkins: CLI and UI allow non-admin users to enumerate installed plugins (SECURITY-771)↗2018-05-10

▶

Bugzilla

CVE-2018-1000192 CVE-2018-1000193 CVE-2018-1000194 CVE-2018-1000195 jenkins: various flaws [fedora-all]↗2018-05-10

▶