3.3

CVSS Score

3.0

-

CVSS Score

Basic Information

CVE ID

CVE-2018-1000608

GHSA ID

GHSA-5fq9-x9f4-x2r2

EPSS Score

0.17785%

CWE

CWE-522

Published

5/13/2022

Updated

2/1/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2018-1000608

CVE-2018-1000608: Jenkins z/OS Connector Plugin allows local attacker to retrieve configured password

A exposure of sensitive information vulnerability exists in Jenkins z/OS Connector Plugin 1.2.6.1 and earlier in SCLMSCM.java that allows an attacker with local file system access or control of a Jenkins administrator's web browser (e.g. malicious extension) to retrieve the configured password. IBM z/OS Connector Plugin 2.0.0 and newer integrates with Credentials Plugin, no longer storing credentials itself.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2018-1000608

CVE-2018-1000608:

3.3

CVSS Score

3.0

-

CVSS Score

Basic Information

CVE ID

CVE-2018-1000608

GHSA ID

GHSA-5fq9-x9f4-x2r2

EPSS Score

0.17785%

CWE

CWE-522

Published

5/13/2022

Updated

2/1/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:zos-connector	maven	<= 1.2.6.1	2.0.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description explicitly identifies SCLMSCM.java as the source of the issue. The root cause is insufficient credential protection (CWE-522), specifically storing passwords in plain text. The patched version (2.0.0) migrated to the Credentials Plugin, confirming that prior versions handled credentials directly in SCLMSCM. While the exact method names aren't provided in the advisory, the class itself is the logical locus of the vulnerability given the context about configuration storage and credential exposure.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

3.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2018-1000608: Jenkins z/OS Connector Plugin allows local attacker to retrieve configured password

CVE-2018-1000608:

3.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Basic Information

Basic Information

3.3

3.3

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2018-1000608: Jenkins z/OS Connector Plugin allows local attacker to retrieve configured password

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI