CVE-2018-1000109 — Jenkins Google Play Android Publisher Plugin allows attacker to obtain credentia

描述

An improper authorization vulnerability exists in Jenkins Google Play Android Publisher Plugin version 1.6 and earlier in `GooglePlayBuildStepDescriptor.java` that allow an attacker to obtain credential IDs. As of version 1.7, enumeration of credentials IDs and validation of specified credentials in this plugin requires the permissions to have the ExtendedRead permission (when that permission is enabled; otherwise Configure permission) to the job in whose context credentials are being accessed.

如何修補 CVE-2018-1000109

要修補 CVE-2018-1000109,請將受影響套件升級到下列已修補版本。

—升級至 1.7 或更新版本

CVE-2018-1000109 正在被利用嗎?

低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。

受影響套件(1)

from 0, < 1.7

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

參考連結(4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-1000109
PATCHgithub.com/jenkinsci/google-play-android-publisher-plugin
WEBgithub.com/jenkinsci/google-play-android-publisher-plugin/commit/f81b058289caf3332ae40d599a36a3665b1fa13c
WEBjenkins.io/security/advisory/2018-02-26/#SECURITY-715