Vulnerability Details : CVE-2017-1000387
Jenkins Build-Publisher plugin version 1.21 and earlier stores credentials to other Jenkins instances in the file hudson.plugins.build_publisher.BuildPublisher.xml in the Jenkins master home directory. These credentials were stored unencrypted, allowing anyone with local file system access to access them. Additionally, the credentials were also transmitted in plain text as part of the configuration form. This could result in exposure of the credentials through browser extensions, cross-site scripting vulnerabilities, and similar situations.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2017-1000387
- cpe:2.3:a:jenkins:build-publisher:*:*:*:*:*:jenkins:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-1000387
0.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 10 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-1000387
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
2.1
|
LOW | AV:L/AC:L/Au:N/C:P/I:N/A:N |
3.9
|
2.9
|
NIST | |
7.8
|
HIGH | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST |
CWE ids for CVE-2017-1000387
-
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-1000387
-
http://www.securityfocus.com/bid/101544
Jenkins Build Publisher Plugin Information Disclosure VulnerabilityThird Party Advisory;VDB Entry
-
https://jenkins.io/security/advisory/2017-10-23/
Jenkins Security Advisory 2017-10-23Vendor Advisory
Jump to