CVE-2018-1000404 — Insufficiently Protected Credentials in Jenkins AWS CodeBuild Plugin

描述

Jenkins project Jenkins AWS CodeBuild Plugin version 0.26 and earlier contains a Insufficiently Protected Credentials vulnerability in AWSClientFactory.java, CodeBuilder.java that can result in Credentials Disclosure. This attack appear to be exploitable via local file access. This vulnerability appears to have been fixed in 0.27 and later.

如何修補 CVE-2018-1000404

要修補 CVE-2018-1000404,請將受影響套件升級到下列已修補版本。

—升級至 0.27 或更新版本

CVE-2018-1000404 正在被利用嗎?

低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。

受影響套件(1)

from 0, < 0.27

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH7.8	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

參考連結(3)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-1000404
WEBgithub.com/jenkinsci/aws-codebuild-plugin/commit/f5bae399c245ff6a7131ce9cca9636f5971d582c
WEBjenkins.io/security/advisory/2018-06-25/#SECURITY-834