[JENKINS:SECURITY-825] AWS CodeDeploy Plugin persisted possibly sensitive environment variables in job configuration
Severity
Medium
Affected Packages
2
Fixed Packages
2
CVEs
1
AWS CodeDeploy Plugin could persist environment variables from the last run of any project with the post-build step configured in the job's config.xml
file.
In some cases, this allowed users with file system access or Extended Read permission to obtain those potentially sensitive environment variables by accessing the project's config.xml
.
AWS CodeDeploy Plugin 1.20 and newer no longer stores build environment variables on disk.
Existing job config.xml
will retain the stored environment variables until the job configuration is saved again.
Package | Affected Version |
---|---|
pkg:maven/org.jenkins-ci.plugins/codedeploy | <= 1.19 |
pkg:github/jenkinsci/codedeploy-plugin | <= 1.19 |
Package | Fixed Version |
---|---|
pkg:maven/org.jenkins-ci.plugins/codedeploy | = 1.20 |
pkg:github/jenkinsci/codedeploy-plugin | = 1.20 |
- ID
- JENKINS:SECURITY-825
- Severity
- medium
- Published
-
2018-06-25T00:00:00
(6 years ago) - Modified
-
2018-06-25T00:00:00
(6 years ago) - Rights
- Jenkins Security Team
- Other Advisories
Source | # ID | Name | URL |
---|---|---|---|
Plugin repository | codedeploy repository | https://github.com/jenkinsci/codedeploy-plugin |
Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
---|---|---|---|---|---|---|---|
Affected | pkg:maven/org.jenkins-ci.plugins/codedeploy | org.jenkins-ci.plugins | codedeploy | <= 1.19 | |||
Fixed | pkg:maven/org.jenkins-ci.plugins/codedeploy | org.jenkins-ci.plugins | codedeploy | = 1.20 | |||
Affected | pkg:github/jenkinsci/codedeploy-plugin | jenkinsci | codedeploy-plugin | <= 1.19 | |||
Fixed | pkg:github/jenkinsci/codedeploy-plugin | jenkinsci | codedeploy-plugin | = 1.20 |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |