Information Exposure Affecting org.jenkins-ci.plugins:ssh-agent package, versions [,1.16)
Snyk CVSS
Attack Complexity
Low
Confidentiality
High
Threat Intelligence
EPSS
0.07% (30th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGJENKINSCIPLUGINS-32452
- published 2 Aug 2018
- disclosed 30 Jul 2018
- credit Jan Hollevoet
Introduced: 30 Jul 2018
CVE-2018-1999036 Open this link in a new tabHow to fix?
Upgrade org.jenkins-ci.plugins:ssh-agent
to version 1.16 or higher.
Overview
org.jenkins-ci.plugins:ssh-agent allows you to provide SSH credentials to builds via a ssh-agent in Jenkins.
Affected versions of this package are vulnerable to Information Exposure via the SSHAgentStepExecution.java
class. It exposes the SSH
private key password to users with permission to read the build log.