CVE-2018-1000187 — Exposure of Sensitive Information in Jenkins Kubernetes Plugin

Description

A exposure of sensitive information vulnerability exists in Jenkins Kubernetes Plugin 1.7.0 and older in ContainerExecDecorator.java that results in sensitive variables such as passwords being written to logs.

How to fix CVE-2018-1000187

To remediate CVE-2018-1000187, upgrade the affected package to a fixed version below.

—upgrade to 1.7.1 or later

Is CVE-2018-1000187 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.7.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-1000187
WEBgithub.com/jenkinsci/kubernetes-plugin/commit/43a1d15b0875ae89ae16f2a2bfdd44ffd1e5f46d
WEBjenkins.io/security/advisory/2018-06-04/#SECURITY-883
WEBwww.jenkins.io/security/advisory/2018-06-04/#SECURITY-883