Miggo Logo

CVE-2018-1000403: AWS CodeDeploy Plugin stored AWS Secret Key in plain text

7.8

CVSS Score
3.0

Basic Information

EPSS Score
0.01084%
Published
5/13/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.amazonaws:codedeploymaven< 1.201.20

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key failure points: 1) Storage of AWS Secret Key in plain text in config.xml files, which would require a getter method exposing the raw value (getSecretKey()). 2) The configuration persistence mechanism that wrote credentials without encryption (configure method). The advisory specifically mentions AWSCodeDeployPublisher.java as the location of the vulnerability and describes both disk storage and form transmission issues, which align with these common Jenkins plugin credential handling functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins proj**t J*nkins *WS *o****ploy Plu*in v*rsion *.** *n* **rli*r *ont*ins * Insu**i*i*ntly Prot**t** *r***nti*ls vuln*r**ility in *WS*o****ployPu*lis**r.j*v* t**t **n r*sult in *r***nti*ls *is*losur*. T*is *tt**k *pp**rs to ** *xploit**l* vi* l

Reasoning

T** vuln*r**ility st*ms *rom two k*y **ilur* points: *) Stor*** o* *WS S**r*t K*y in pl*in t*xt in `*on*i*.xml` *il*s, w*i** woul* r*quir* * **tt*r m*t*o* *xposin* t** r*w v*lu* (`**tS**r*tK*y()`). *) T** *on*i*ur*tion p*rsist*n** m****nism t**t wrot