CVE-2018-1000403: AWS CodeDeploy Plugin stored AWS Secret Key in plain text
7.8
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.01084%
CWE
Published
5/13/2022
Updated
1/27/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
com.amazonaws:codedeploy | maven | < 1.20 | 1.20 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from two key failure points: 1) Storage of AWS Secret Key in plain text in config.xml
files, which would require a getter method exposing the raw value (getSecretKey()
). 2) The configuration persistence mechanism that wrote credentials without encryption (configure method
). The advisory specifically mentions AWSCodeDeployPublisher.java
as the location of the vulnerability and describes both disk storage and form transmission issues, which align with these common Jenkins plugin credential handling functions.