[MAVEN:GHSA-WWGX-94V6-FC2P] Jenkins SSH Agent Plugin exposes SSH private key password to users with permission to read the build log

Severity Low

Affected Packages 1

Fixed Packages 1

CVEs 1

An exposure of sensitive information vulnerability exists in Jenkins SSH Agent Plugin 1.15 and earlier in SSHAgentStepExecution.java that exposes the SSH private key password to users with permission to read the build log. As of version 1.16, the plugin no longer logs the ssh-add invocation that would reveal the passphrase.

Package	Affected Version
pkg:maven/org.jenkins-ci.plugins/ssh-agent	<= 1.15

Package	Fixed Version
pkg:maven/org.jenkins-ci.plugins/ssh-agent	= 1.16

ID

MAVEN:GHSA-WWGX-94V6-FC2P

Severity

low

URL

https://github.com/advisories/GHSA-wwgx-94v6-fc2p

Published

2022-05-13T01:50:55
(2 years ago)

Modified

2023-12-15T17:13:12
(9 months ago)

Rights

Maven Security Team

Other Advisories

JENKINS:SECURITY-704

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2018-1999036
			https://jenkins.io/security/advisory/2018-07-30/#SECURITY-704
			https://github.com/jenkinsci/ssh-agent-plugin/commit/3a8abe1889d25f9a73cdba202cf27212b273de4d
			https://github.com/advisories/GHSA-wwgx-94v6-fc2p

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:maven/org.jenkins-ci.plugins/ssh-agent	org.jenkins-ci.plugins	ssh-agent	<= 1.15
Fixed	pkg:maven/org.jenkins-ci.plugins/ssh-agent	org.jenkins-ci.plugins	ssh-agent	= 1.16

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date