First published: Wed Jan 09 2019(Updated: )
An insufficiently protected credentials vulnerability exists in Jenkins Artifactory Plugin 2.16.1 and earlier in ArtifactoryBuilder.java, CredentialsConfig.java that allows attackers with local file system access to obtain old credentials configured for the plugin before it integrated with Credentials Plugin.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Jfrog Artifactory | <=2.16.1 | |
maven/org.jenkins-ci.plugins:artifactory | <2.16.2 | 2.16.2 |
<=2.16.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this issue is CVE-2018-1000424.
The severity of CVE-2018-1000424 is high with a CVSS score of 7.8.
Jenkins Artifactory Plugin version 2.16.1 and earlier are affected by CVE-2018-1000424.
An attacker with local file system access can exploit CVE-2018-1000424 to obtain old credentials configured for the Artifactory Plugin before it integrated with Credential Management in Jenkins.
Yes, you can find more information about CVE-2018-1000424 at the following references: [SecurityFocus](http://www.securityfocus.com/bid/106532) and [Jenkins Security Advisory](https://jenkins.io/security/advisory/2018-09-25/#SECURITY-265).