CVE-2017-1000387

EPSS 0.01%
Veröffentlicht 26.01.2018 02:29:00
Zuletzt bearbeitet 21.11.2024 03:04:36
Quelle cve@mitre.org
Teams Watchlist Login
Unerledigt Login

Jenkins Build-Publisher plugin version 1.21 and earlier stores credentials to other Jenkins instances in the file hudson.plugins.build_publisher.BuildPublisher.xml in the Jenkins master home directory. These credentials were stored unencrypted, allowing anyone with local file system access to access them. Additionally, the credentials were also transmitted in plain text as part of the configuration form. This could result in exposure of the credentials through browser extensions, cross-site scripting vulnerabilities, and similar situations.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Jenkins ≫ Build-publisher SwPlatformjenkins Version <= 1.21

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.01

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	2.1	3.9	2.9	AV:L/AC:L/Au:N/C:P/I:N/A:N

CWE-522 Insufficiently Protected Credentials

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

https://jenkins.io/security/advisory/2017-10-23/

Vendor Advisory

http://www.securityfocus.com/bid/101544

Third Party Advisory

VDB Entry

https://nvd.nist.gov/vuln/detail/CVE-2017-1000387

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2017-1000387

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2017-1000387

EUVD