CVE-2017-1000387

HIGH

Jenkins Build-Publisher <1.21 - Info Disclosure

Title source: llm

Description

Jenkins Build-Publisher plugin version 1.21 and earlier stores credentials to other Jenkins instances in the file hudson.plugins.build_publisher.BuildPublisher.xml in the Jenkins master home directory. These credentials were stored unencrypted, allowing anyone with local file system access to access them. Additionally, the credentials were also transmitted in plain text as part of the configuration form. This could result in exposure of the credentials through browser extensions, cross-site scripting vulnerabilities, and similar situations.

References (2)

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/101544

[Vendor Advisory] https://jenkins.io/security/advisory/2017-10-23/

Scores

CVSS v3 7.8

EPSS 0.0001

EPSS Percentile 2.0%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-522

Status published

Affected Products (2)

jenkins/build-publisher < 1.21

org.jenkins-ci.plugins/build-publisher < 1.22Maven

Timeline

Published Jan 26, 2018

Tracked Since Feb 18, 2026