CVE-2018-1000143
Jenkins GitHub Pull Request Builder Plugin
3.1
LOW
CVSS 3.1
EPSS 0.02%
Description
GitHub Pull Request Builder Plugin stored the webhook secret shared between Jenkins and GitHub in plain text. This allowed users with Jenkins controller local file system access and Jenkins administrators to retrieve the stored password. The latter could result in exposure of the passwords through browser extensions, cross-site scripting vulnerabilities, and similar situations. GitHub Pull Request Builder Plugin 1.32.1 and newer stores the webhook secret encrypted on disk.
How to fix CVE-2018-1000143
To remediate CVE-2018-1000143, upgrade the affected package to a fixed version below.
- —upgrade to 1.32.1 or later
Is CVE-2018-1000143 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 1.32.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | LOW3.1 | CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N |