Miggo Logo
Miggo Vulnerability Database
CVE-2018-1000147

CVE-2018-1000147:
Jenkins Perforce Plugin exposure of sensitive information vulnerability exists

6.5

CVSS Score
3.0

Basic Information

CVE ID
CVE-2018-1000147
GHSA ID
GHSA-jrhw-r343-pjwj
EPSS Score
0.53668%
CWE
CWE-200
Published
5/14/2022
Updated
1/9/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jvnet.hudson.plugins:perforcemaven<= 1.3.36

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from custom credential encryption in PerforcePasswordEncryptor.java using DES with a static key. Both encryption and decryption functions are vulnerable because: 1) DES is cryptographically weak, 2) The encryption key is hard-coded in the plugin's source (CWE-200), 3) Jenkins' permission system couldn't protect these credentials as the encryption wasn't considered a true secret. The advisory explicitly states this implementation allows unauthorized password retrieval through these functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n *xposur* o* s*nsitiv* in*orm*tion vuln*r**ility *xists in J*nkins P*r*or** Plu*in v*rsion *.*.** *n* ol**r in P*r*or**P*sswor**n*ryptor.j*v* t**t *llows *tt**k*rs wit* insu**i*i*nt p*rmission to o*t*in P*r*or** p*sswor*s *on*i*ur** in jo*s to o*t*

Reasoning

T** vuln*r**ility st*ms *rom *ustom *r***nti*l *n*ryption in `P*r*or**P*sswor**n*ryptor.j*v*` usin* **S wit* * st*ti* k*y. *ot* *n*ryption *n* ***ryption `*un*tions` *r* vuln*r**l* ****us*: *) **S is *rypto*r*p*i**lly w**k, *) T** *n*ryption k*y is *