CVE-2017-1000114: Infoleak
First published: Wed Oct 04 2017(Updated: )
The Datadog Plugin stores an API key to access the Datadog service in the global Jenkins configuration. While the API key is stored encrypted on disk, it was transmitted in plain text as part of the configuration form. This could result in exposure of the API key for example through browser extensions or cross-site scripting vulnerabilities. The Datadog Plugin now encrypts the API key transmitted to administrators viewing the global configuration form.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Jenkins Datadog | <=0.5.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2017-1000114?
CVE-2017-1000114 is categorized as a moderate severity vulnerability due to the potential exposure of sensitive API keys.
How do I fix CVE-2017-1000114?
To fix CVE-2017-1000114, upgrade the Datadog Plugin for Jenkins to version 0.5.7 or later where the issue is resolved.
What software is affected by CVE-2017-1000114?
CVE-2017-1000114 affects the Datadog Plugin for Jenkins versions up to and including 0.5.6.
Can CVE-2017-1000114 lead to data leaks?
Yes, CVE-2017-1000114 can lead to data leaks as it exposes API keys in plain text during transmission.
Is CVE-2017-1000114 exploitable in all configurations?
CVE-2017-1000114 is primarily exploitable when the Jenkins configuration is accessed inappropriately, such as through browser extensions.
- collector/nvd-index
- agent/type
- agent/references
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/severity
- agent/author
- agent/last-modified-date
- agent/softwarecombine
- agent/description
- agent/first-publish-date
- agent/event
- agent/tags
- agent/source
- vendor/jenkins
- canonical/jenkins datadog
- version/jenkins datadog/0.5.6