7.8

CVSS Score

3.0

Basic Information

CVE ID

CVE-2018-1000403

GHSA ID

GHSA-h66p-m766-33fv

EPSS Score

0.01084%

CWE

CWE-522

Published

5/13/2022

Updated

1/27/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2018-1000403

CVE-2018-1000403:
AWS CodeDeploy Plugin stored AWS Secret Key in plain text

Jenkins project Jenkins AWS CodeDeploy Plugin version 1.19 and earlier contains a Insufficiently Protected Credentials vulnerability in AWSCodeDeployPublisher.java that can result in Credentials Disclosure. This attack appears to be exploitable via local file access.

AWS CodeDeploy Plugin 1.20 and newer stores the AWS Secret Key encrypted in the configuration files on disk and no longer transfers it to users viewing the configuration form in plain text. Existing jobs need to have their configuration saved for existing plain text secret keys to be overwritten.

(GitHub Advisory)

7.8

CVSS Score

3.0

Basic Information

CVE ID

CVE-2018-1000403

GHSA ID

GHSA-h66p-m766-33fv

EPSS Score

0.01084%

CWE

CWE-522

Published

5/13/2022

Updated

1/27/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.amazonaws:codedeploy	maven	< 1.20	1.20

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two key failure points: 1) Storage of AWS Secret Key in plain text in config.xml files, which would require a getter method exposing the raw value (getSecretKey()). 2) The configuration persistence mechanism that wrote credentials without encryption (configure method). The advisory specifically mentions AWSCodeDeployPublisher.java as the location of the vulnerability and describes both disk storage and form transmission issues, which align with these common Jenkins plugin credential handling functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins proj**t J*nkins *WS *o****ploy Plu*in v*rsion *.** *n* **rli*r *ont*ins * Insu**i*i*ntly Prot**t** *r***nti*ls vuln*r**ility in *WS*o****ployPu*lis**r.j*v* t**t **n r*sult in *r***nti*ls *is*losur*. T*is *tt**k *pp**rs to ** *xploit**l* vi* l

Reasoning

T** vuln*r**ility st*ms *rom two k*y **ilur* points: *) Stor*** o* *WS S**r*t K*y in pl*in t*xt in `*on*i*.xml` *il*s, w*i** woul* r*quir* * **tt*r m*t*o* *xposin* t** r*w v*lu* (`**tS**r*tK*y()`). *) T** *on*i*ur*tion p*rsist*n** m****nism t**t wrot

7.8

Basic Information

Concerned about an active attack path?

CVE-2018-1000403: AWS CodeDeploy Plugin stored AWS Secret Key in plain text

7.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2018-1000403:
AWS CodeDeploy Plugin stored AWS Secret Key in plain text

Vulnerability Intelligence
Miggo AI