CVE-2018-1999036

LOW3.1EPSS 0.19%

Jenkins SSH Agent Plugin exposes SSH private key password to users with permission to read the build log

發布日:2022/5/13修改日:2024/2/16

描述

An exposure of sensitive information vulnerability exists in Jenkins SSH Agent Plugin 1.15 and earlier in SSHAgentStepExecution.java that exposes the SSH private key password to users with permission to read the build log. As of version 1.16, the plugin no longer logs the ssh-add invocation that would reveal the passphrase.

受影響套件(1)

Maven/org.jenkins-ci.plugins:ssh-agentfrom 0, < 1.16

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	LOW3.1	CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

參考連結(4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2018-1999036
PATCHhttps://github.com/jenkinsci/ssh-agent-plugin
WEBhttps://github.com/jenkinsci/ssh-agent-plugin/commit/3a8abe1889d25f9a73cdba202cf27212b273de4d
WEBhttps://jenkins.io/security/advisory/2018-07-30/#SECURITY-704