CVE-2018-1000109 — Jenkins Google Play Android Publisher Plugin allows attacker to obtain credentia

Description

An improper authorization vulnerability exists in Jenkins Google Play Android Publisher Plugin version 1.6 and earlier in `GooglePlayBuildStepDescriptor.java` that allow an attacker to obtain credential IDs. As of version 1.7, enumeration of credentials IDs and validation of specified credentials in this plugin requires the permissions to have the ExtendedRead permission (when that permission is enabled; otherwise Configure permission) to the job in whose context credentials are being accessed.

How to fix CVE-2018-1000109

To remediate CVE-2018-1000109, upgrade the affected package to a fixed version below.

—upgrade to 1.7 or later

Is CVE-2018-1000109 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.7

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-1000109
PATCHgithub.com/jenkinsci/google-play-android-publisher-plugin
WEBgithub.com/jenkinsci/google-play-android-publisher-plugin/commit/f81b058289caf3332ae40d599a36a3665b1fa13c
WEBjenkins.io/security/advisory/2018-02-26/#SECURITY-715