CVE-2018-1000401 — Jenkins AWS CodePipeline Plugin has Insufficiently Protected Credentials

描述

Jenkins project Jenkins AWS CodePipeline Plugin version 0.36 and earlier contains a Insufficiently Protected Credentials vulnerability in AWSCodePipelineSCM.java that can result in Credentials Disclosure. This attack appear to be exploitable via local file access. This vulnerability appears to have been fixed in 0.37 and later.

如何修補 CVE-2018-1000401

要修補 CVE-2018-1000401,請將受影響套件升級到下列已修補版本。

—升級至 0.37 或更新版本

CVE-2018-1000401 正在被利用嗎?

低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。

受影響套件(1)

from 0, < 0.37

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH7.8	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

參考連結(3)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-1000401
WEBgithub.com/jenkinsci/aws-codepipeline-plugin/commit/a45d3dc52c8b6f49e813a2ee8b796f0302649c69
WEBjenkins.io/security/advisory/2018-06-25/#SECURITY-967