1611846 – (CVE-2018-1999040) CVE-2018-1999040 jenkins-plugin-kubernetes: credentials Information Exposure

Bug 1611846 (CVE-2018-1999040) - CVE-2018-1999040 jenkins-plugin-kubernetes: credentials Information Exposure

Summary: CVE-2018-1999040 jenkins-plugin-kubernetes: credentials Information Exposure

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2018-1999040
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1633947 1633948 1633949 1633950 1633951 1633952 1633953 1633954 1633955 1633956
Blocks:	1611847
TreeView+	depends on / blocked

Reported:	2018-08-02 22:26 UTC by Laura Pardo
Modified:	2021-10-25 09:49 UTC (History)
CC List:	12 users (show)
Fixed In Version:	jenkins-plugin-kubernetes 1.10.2
Clone Of:
Environment:
Last Closed:	2021-10-25 09:49:36 UTC
Embargoed:

Attachments	(Terms of Use)

Description Laura Pardo 2018-08-02 22:26:40 UTC

An exposure of sensitive information vulnerability exists in Jenkins Kubernetes Plugin 1.10.1 and earlier in KubernetesCloud.java that allows attackers to capture credentials with a known credentials ID stored in Jenkins.


References:
https://jenkins.io/security/advisory/2018-07-30/#SECURITY-1016

Comment 1 Jason Shepherd 2018-09-28 06:29:35 UTC

OCP 3.11 is shipping kubernetes plugin version 1.12.1 so is not affected by this flaw.

Note You need to log in before you can comment on or make changes to this bug.