Miggo Logo
Miggo Vulnerability Database
CVE-2018-1000609

CVE-2018-1000609: Jenkins Configuration as Code Plugin vulnerable to Exposure of Sensitive Information

6.5

CVSS Score
3.0

Basic Information

CVE ID
CVE-2018-1000609
GHSA ID
GHSA-393r-r9mq-g9jv
EPSS Score
0.22669%
CWE
CWE-200
Published
5/14/2022
Updated
1/29/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
io.jenkins:configuration-as-codemaven< 0.8-alpha0.8-alpha

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing permission checks in the configuration export endpoint. The Jenkins security advisory explicitly identifies ConfigurationAsCode.java as the vulnerable component and describes the lack of authorization in the export method. The doExport method (or equivalent entry point for the export URL) would be the direct handler for this functionality. The fix in 0.8-alpha would have added a permission check like Jenkins.ADMINISTER or similar, but prior versions would execute this method with only Overall/Read access. This matches the CWE-200 pattern of unauthorized data exposure through missing access controls.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *xposur* o* s*nsitiv* in*orm*tion vuln*r**ility *xists in J*nkins *on*i*ur*tion *s *o** Plu*in *.*-*lp** *n* **rli*r in *on*i*ur*tion*s*o**.j*v* t**t *llows *tt**k*rs wit* Ov*r*ll/R*** ****ss to o*t*in t** Y*ML *xport o* t** J*nkins *on*i*ur*tion.

Reasoning

T** vuln*r**ility st*ms *rom missin* p*rmission ****ks in t** *on*i*ur*tion *xport *n*point. T** J*nkins s**urity **visory *xpli*itly i**nti*i*s `*on*i*ur*tion*s*o**.j*v*` *s t** vuln*r**l* *ompon*nt *n* **s*ri**s t** l**k o* *ut*oriz*tion in t** `*x