CVE-2018-1000142
Jenkins GitHub Pull Request Builder Plugin allows attacker with local file system access to obtain GitHub credentials
Description
An exposure of sensitive information vulnerability exists in Jenkins GitHub Pull Request Builder Plugin version 1.39.0 and older in GhprbCause.java that allows an attacker with local file system access to obtain GitHub credentials. Since 1.40.0, the plugin no longer stores serialized objects containing the credential on disk. Builds started before the plugin was updated to 1.40.0 will retain the encoded credentials on disk. We strongly recommend revoking old GitHub credentials used in Jenkins. We’re providing a script for use in the Script Console that will attempt to remove old stored credentials from build.xml files.
How to fix CVE-2018-1000142
To remediate CVE-2018-1000142, upgrade the affected package to a fixed version below.
- —upgrade to 1.40.0 or later
Is CVE-2018-1000142 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 1.40.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.0 | CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |