CVE-2018-1000403
AWS CodeDeploy Plugin stored AWS Secret Key in plain text
7.8
HIGH
CVSS 3.1
EPSS 0.01%
描述
Jenkins project Jenkins AWS CodeDeploy Plugin version 1.19 and earlier contains a Insufficiently Protected Credentials vulnerability in AWSCodeDeployPublisher.java that can result in Credentials Disclosure. This attack appears to be exploitable via local file access. AWS CodeDeploy Plugin 1.20 and newer stores the AWS Secret Key encrypted in the configuration files on disk and no longer transfers it to users viewing the configuration form in plain text. Existing jobs need to have their configuration saved for existing plain text secret keys to be overwritten.
如何修補 CVE-2018-1000403
要修補 CVE-2018-1000403,請將受影響套件升級到下列已修補版本。
- —升級至 1.20 或更新版本
CVE-2018-1000403 正在被利用嗎?
低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- from 0, < 1.20
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.8 | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |