Miggo Logo
Miggo Vulnerability Database
CVE-2018-1000192

CVE-2018-1000192: Exposure of Sensitive Information to an Unauthorized Actor in Jenkins

4.3

CVSS Score
3.0

Basic Information

CVE ID
CVE-2018-1000192
GHSA ID
GHSA-2w4x-rxp7-grg7
EPSS Score
0.65945%
CWE
CWE-200
Published
5/13/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.main:jenkins-coremaven<= 2.107.22.107.3
org.jenkins-ci.main:jenkins-coremaven>= 2.108, <= 2.1202.121

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The patches indicate that the vulnerability was due to lack of proper permission checks in the ListPluginsCommand and the AboutJenkins page. The functions identified are directly related to these changes.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* in*orm*tion *xposur* vuln*r**ility *xists in J*nkins *.*** *n* ol**r, LTS *.***.* *n* ol**r in **outJ*nkins.j*v*, ListPlu*ins*omm*n*.j*v* t**t *llows us*rs wit* Ov*r*ll/R*** ****ss to *num*r*t* *ll inst*ll** plu*ins.

Reasoning

T** p*t***s in*i**t* t**t t** vuln*r**ility w*s *u* to l**k o* prop*r p*rmission ****ks in t** `ListPlu*ins*omm*n*` *n* t** `**outJ*nkins` p***. T** `*un*tions` i**nti*i** *r* *ir**tly r*l*t** to t**s* ***n**s.