CVE-2018-1000410 — Exposure of Sensitive Information to an Unauthorized Actor in Jenkins

Description

An information exposure vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier, and the Stapler framework used by these releases, in core/src/main/java/org/kohsuke/stapler/RequestImpl.java, core/src/main/java/hudson/model/Descriptor.java that allows attackers with Overall/Administer permission or access to the local file system to obtain credentials entered by users if the form submission could not be successfully processed.

How to fix CVE-2018-1000410

To remediate CVE-2018-1000410, upgrade the affected package to a fixed version below.

—upgrade to 2.138.2 or later

Is CVE-2018-1000410 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.138.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.8	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-1000410
PATCHgithub.com/jenkinsci/jenkins
WEBgithub.com/jenkinsci/jenkins/commit/7366cc50106442a021c5178cd101057ecc08f2c2
WEBjenkins.io/security/advisory/2018-10-10/#SECURITY-765
WEB