CVE-2017-1000387
Last modified
CVE-2017-1000387 is a vulnerability of currently unknown severity. Jenkins Build-Publisher plugin version 1.21 and earlier stores credentials to other Jenkins instances in the file hudson.plugins.build_publisher.BuildPublisher.xml in the Jenkins master home directory. These credentials were stored unencrypted, allowing anyone with local file system access to access them. EPSS estimates a 0.38% chance of exploitation in the next 30 days.
Description
Jenkins Build-Publisher plugin version 1.21 and earlier stores credentials to other Jenkins instances in the file hudson.plugins.build_publisher.BuildPublisher.xml in the Jenkins master home directory. These credentials were stored unencrypted, allowing anyone with local file system access to access them. Additionally, the credentials were also transmitted in plain text as part of the configuration form. This could result in exposure of the credentials through browser extensions, cross-site scripting vulnerabilities, and similar situations.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Jenkins | Build-Publisher | <= 1.21 |
References
- http://www.securityfocus.com/bid/101544Third Party Advisory, VDB Entry
- https://jenkins.io/security/advisory/2017-10-23/Vendor Advisory
- http://www.securityfocus.com/bid/101544Third Party Advisory, VDB Entry
- https://jenkins.io/security/advisory/2017-10-23/Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2017-1000387?
How severe is CVE-2017-1000387?
How do I fix CVE-2017-1000387?
Are you affected by CVE-2017-1000387?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST