CVE-2018-1000603

Опубликовано: 26 июн. 2018

Источник: nvd

CVSS3: 8.8

CVSS2: 4

EPSS Низкий

Описание

A exposure of sensitive information vulnerability exists in Jenkins Openstack Cloud Plugin 2.35 and earlier in BootSource.java, InstancesToRun.java, JCloudsCleanupThread.java, JCloudsCloud.java, JCloudsComputer.java, JCloudsPreCreationThread.java, JCloudsRetentionStrategy.java, JCloudsSlave.java, JCloudsSlaveTemplate.java, LauncherFactory.java, OpenstackCredentials.java, OpenStackMachineStep.java, SlaveOptions.java, SlaveOptionsDescriptor.java that allows attackers with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins, and to cause Jenkins to submit HTTP requests to attacker-specified URLs.

Ссылки

https://jenkins.io/security/advisory/2018-06-25/#SECURITY-808
Vendor Advisory
https://jenkins.io/security/advisory/2018-06-25/#SECURITY-808
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:jenkins:openstack_cloud:*:*:*:*:*:jenkins:*:*

Версия до 2.35 (включая)

EPSS

Процентиль: 29%

0.00107

Низкий

8.8 High

CVSS3

4 Medium

CVSS2

Дефекты

CWE-200

Связанные уязвимости

GHSA-grf8-94q5-4phx