Vulnerability Description
Jenkins Build-Publisher plugin version 1.21 and earlier stores credentials to other Jenkins instances in the file hudson.plugins.build_publisher.BuildPublisher.xml in the Jenkins master home directory. These credentials were stored unencrypted, allowing anyone with local file system access to access them. Additionally, the credentials were also transmitted in plain text as part of the configuration form. This could result in exposure of the credentials through browser extensions, cross-site scripting vulnerabilities, and similar situations.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Jenkins | Build-Publisher | <= 1.21 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/101544Third Party AdvisoryVDB Entry
- https://jenkins.io/security/advisory/2017-10-23/Vendor Advisory
- http://www.securityfocus.com/bid/101544Third Party AdvisoryVDB Entry
- https://jenkins.io/security/advisory/2017-10-23/Vendor Advisory
FAQ
What is CVE-2017-1000387?
CVE-2017-1000387 is a vulnerability with a CVSS score of 7.8 (HIGH). Jenkins Build-Publisher plugin version 1.21 and earlier stores credentials to other Jenkins instances in the file hudson.plugins.build_publisher.BuildPublisher.xml in the Jenkins master home directory...
How severe is CVE-2017-1000387?
CVE-2017-1000387 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-1000387?
Check the references section above for vendor advisories and patch information. Affected products include: Jenkins Build-Publisher.