[JENKINS:SECURITY-825] AWS CodeDeploy Plugin persisted possibly sensitive environment variables in job configuration

Severity Medium

Affected Packages 2

Fixed Packages 2

CVEs 1

AWS CodeDeploy Plugin could persist environment variables from the last run of any project with the post-build step configured in the job's config.xml file.

In some cases, this allowed users with file system access or Extended Read permission to obtain those potentially sensitive environment variables by accessing the project's config.xml.

AWS CodeDeploy Plugin 1.20 and newer no longer stores build environment variables on disk.
Existing job config.xml will retain the stored environment variables until the job configuration is saved again.

Package	Affected Version
pkg:maven/org.jenkins-ci.plugins/codedeploy	<= 1.19
pkg:github/jenkinsci/codedeploy-plugin	<= 1.19

Package	Fixed Version
pkg:maven/org.jenkins-ci.plugins/codedeploy	= 1.20
pkg:github/jenkinsci/codedeploy-plugin	= 1.20

ID

JENKINS:SECURITY-825

Severity

medium

Published

2018-06-25T00:00:00
(6 years ago)

Modified

2018-06-25T00:00:00
(6 years ago)

Rights

Jenkins Security Team

Other Advisories

MAVEN:GHSA-644J-JCC4-CRX7

Source	# ID	Name	URL
Plugin repository		codedeploy repository	https://github.com/jenkinsci/codedeploy-plugin

Type	Package URL	Namespace	Name / Product	Version
Affected	pkg:maven/org.jenkins-ci.plugins/codedeploy	org.jenkins-ci.plugins	codedeploy	<= 1.19
Fixed	pkg:maven/org.jenkins-ci.plugins/codedeploy	org.jenkins-ci.plugins	codedeploy	= 1.20
Affected	pkg:github/jenkinsci/codedeploy-plugin	jenkinsci	codedeploy-plugin	<= 1.19
Fixed	pkg:github/jenkinsci/codedeploy-plugin	jenkinsci	codedeploy-plugin	= 1.20

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date