CVE-2017-1000387
Jenkins Build-Publisher plugin has Insufficiently Protected Credentials
Description
Jenkins Build-Publisher plugin version 1.21 and earlier stores credentials to other Jenkins instances in the file `hudson.plugins.build_publisher.BuildPublisher.xml` in the Jenkins master home directory. These credentials were stored unencrypted, allowing anyone with local file system access to access them. Additionally, the credentials were also transmitted in plain text as part of the configuration form. This could result in exposure of the credentials through browser extensions, cross-site scripting vulnerabilities, and similar situations. Build-Publisher Plugin 1.22 encrypts the credentials on disk, and only transmits their encrypted form to users viewing the configuration form.
How to fix CVE-2017-1000387
To remediate CVE-2017-1000387, upgrade the affected package to a fixed version below.
- —upgrade to 1.22 or later
Is CVE-2017-1000387 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 1.22
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.8 | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |