CVE-2018-1000608 — Jenkins z/OS Connector Plugin allows local attacker to retrieve configured passw

Description

A exposure of sensitive information vulnerability exists in Jenkins z/OS Connector Plugin 1.2.6.1 and earlier in SCLMSCM.java that allows an attacker with local file system access or control of a Jenkins administrator's web browser (e.g. malicious extension) to retrieve the configured password. IBM z/OS Connector Plugin 2.0.0 and newer integrates with Credentials Plugin, no longer storing credentials itself.

How to fix CVE-2018-1000608

To remediate CVE-2018-1000608, upgrade the affected package to a fixed version below.

—upgrade to 2.0.0 or later

Is CVE-2018-1000608 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.0.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	LOW3.3	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (3)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-1000608
PATCHgithub.com/jenkinsci/zos-connector-plugin
WEBjenkins.io/security/advisory/2018-06-25/#SECURITY-950