⚠ Exploited in the wild
Exploitation observed in the wild. Not yet on CISA KEV.

CVE-2018-1000600Sensitive Information Exposure in Jenkins Github

CWE-200Sensitive Information ExposureCWE-352Cross-Site Request Forgery9 documents9 sources
Severity
8.8HIGHNVD
EPSS
93.5%
top 0.17%
CISA KEV
Not in KEV
Exploit
Exploited in wild
Active exploitation observed
Affected products
1
Jenkins Github
Timeline
PublishedJun 26
Latest updateMay 13

Description

A exposure of sensitive information vulnerability exists in Jenkins GitHub Plugin 1.29.1 and earlier in GitHubTokenCredentialsCreator.java that allows attackers to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages1 packages

NVDjenkins/github1.29.1

🔴Vulnerability Details

4
GHSA
CSRF vulnerability and missing permission checks in GitHub Plugin allowed capturing credentials2022-05-13
OSV
CSRF vulnerability and missing permission checks in GitHub Plugin allowed capturing credentials2022-05-13
CVEList
CVE-2018-1000600: A exposure of sensitive information vulnerability exists in Jenkins GitHub Plugin 12018-06-26
VulnCheck
Jenkins github Exposure of Sensitive Information to an Unauthorized Actor2018

💥Exploits & PoCs

1
Nuclei
Jenkins GitHub Plugin <=1.29.1 - Server-Side Request Forgery

📋Vendor Advisories

2
Jenkins
Jenkins Security Advisory 2018-06-252018-06-25
Red Hat
jenkins-plugin-github: CSRF vulnerability and missing permission checks in GitHub Plugin allowed capturing credentials (SECURITY-915)2018-06-25

💬Community

1
Bugzilla
CVE-2018-1000600 jenkins-plugin-github: CSRF vulnerability and missing permission checks in GitHub Plugin allowed capturing credentials (SECURITY-915)2018-06-28
CVE-2018-1000600 — Sensitive Information Exposure | cvebase