CVE-2018-1000608 — Jenkins z/OS Connector Plugin allows local attacker to retrieve configured passw

描述

A exposure of sensitive information vulnerability exists in Jenkins z/OS Connector Plugin 1.2.6.1 and earlier in SCLMSCM.java that allows an attacker with local file system access or control of a Jenkins administrator's web browser (e.g. malicious extension) to retrieve the configured password. IBM z/OS Connector Plugin 2.0.0 and newer integrates with Credentials Plugin, no longer storing credentials itself.

如何修補 CVE-2018-1000608

要修補 CVE-2018-1000608,請將受影響套件升級到下列已修補版本。

—升級至 2.0.0 或更新版本

CVE-2018-1000608 正在被利用嗎?

低 — EPSS 為 0.1%,目前沒有觀察到大規模利用活動。

受影響套件(1)

from 0, < 2.0.0

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	LOW3.3	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

參考連結(3)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-1000608
PATCHgithub.com/jenkinsci/zos-connector-plugin
WEBjenkins.io/security/advisory/2018-06-25/#SECURITY-950