CVE-2018-1000401 — Jenkins AWS CodePipeline Plugin has Insufficiently Protected Credentials

Description

Jenkins project Jenkins AWS CodePipeline Plugin version 0.36 and earlier contains a Insufficiently Protected Credentials vulnerability in AWSCodePipelineSCM.java that can result in Credentials Disclosure. This attack appear to be exploitable via local file access. This vulnerability appears to have been fixed in 0.37 and later.

How to fix CVE-2018-1000401

To remediate CVE-2018-1000401, upgrade the affected package to a fixed version below.

—upgrade to 0.37 or later

Is CVE-2018-1000401 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 0.37

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.8	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (3)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-1000401
WEBgithub.com/jenkinsci/aws-codepipeline-plugin/commit/a45d3dc52c8b6f49e813a2ee8b796f0302649c69
WEBjenkins.io/security/advisory/2018-06-25/#SECURITY-967