Description

An exposure of sensitive information vulnerability exists in Jenkins SSH Agent Plugin 1.15 and earlier in SSHAgentStepExecution.java that exposes the SSH private key password to users with permission to read the build log.

Remediation

References

https://jenkins.io/security/advisory/2018-07-30/#SECURITY-704

Related Vulnerabilities

CVE-2015-5298 Vulnerability in maven package org.jenkins-ci.plugins:google-login

CVE-2016-7191 Vulnerability in npm package passport-azure-ad

CVE-2017-5661 Vulnerability in maven package org.apache.xmlgraphics:fop

CVE-2018-1000401 Vulnerability in maven package org.jenkins-ci.plugins:aws-codepipeline

CVE-2012-5886 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core

Severity

High

Classification

CWE-532 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory