CVE-2018-1000402 — Jenkins AWS CodeDeploy Plugin has Insufficiently Protected Credentials

Description

Jenkins project Jenkins AWS CodeDeploy Plugin version 1.19 and earlier contains a File and Directory Information Exposure vulnerability in AWSCodeDeployPublisher.java that can result in Disclosure of environment variables. This vulnerability appears to have been fixed in 1.20 and later.

How to fix CVE-2018-1000402

To remediate CVE-2018-1000402, upgrade the affected package to a fixed version below.

—upgrade to 1.20 or later

Is CVE-2018-1000402 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.20

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-1000402
WEBgithub.com/jenkinsci/aws-codedeploy-plugin/commit/4bef70636dbcb9e773d4a4a6186726719cb88ee4
WEBgithub.com/jenkinsci/aws-codedeploy-plugin/commit/a086092ddf79d0b232e44f5908e8b6ef3dfcde9d
WEBjenkins.io/security/advisory/2018-06-25/#SECURITY-825