CVE-2018-1999040 — Exposure of Sensitive Information in Jenkins Kubernetes Plugin

Description

An exposure of sensitive information vulnerability exists in Jenkins Kubernetes Plugin 1.10.1 and earlier in KubernetesCloud.java that allows attackers to capture credentials with a known credentials ID stored in Jenkins.

How to fix CVE-2018-1999040

To remediate CVE-2018-1999040, upgrade the affected package to a fixed version below.

—upgrade to 1.10.2 or later

Is CVE-2018-1999040 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.10.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (3)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-1999040
WEBgithub.com/jenkinsci/kubernetes-plugin/commit/bf7a47847dfb5ef2d1e2a537e2eb9f28063988c6
WEBjenkins.io/security/advisory/2018-07-30/#SECURITY-1016