CVE-2017-1000387
Description
Jenkins Build-Publisher plugin version 1.21 and earlier stores credentials to other Jenkins instances in the file hudson.plugins.build_publisher.BuildPublisher.xml in the Jenkins master home directory. These credentials were stored unencrypted, allowing anyone with local file system access to access them. Additionally, the credentials were also transmitted in plain text as part of the configuration form. This could result in exposure of the credentials through browser extensions, cross-site scripting vulnerabilities, and similar situations.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Build-Publisher plugin ≤1.21 stores credentials to other Jenkins instances in plain text, risking exposure via file access or network interception.
Vulnerability
The Jenkins Build-Publisher plugin version 1.21 and earlier stores credentials to other Jenkins instances in the file hudson.plugins.build_publisher.BuildPublisher.xml on the Jenkins master home directory without encryption. Additionally, the credentials are transmitted in plain text as part of the configuration form [1].
Exploitation
An attacker with local file system access to the Jenkins master can read the BuildPublisher.xml file and retrieve the stored credentials. The plain text transmission also allows attackers to intercept credentials via browser extensions, cross-site scripting attacks, or other means of eavesdropping on the configuration form [1].
Impact
Successful exploitation leads to exposure of credentials used to access other Jenkins instances. The attacker could then use these credentials to gain unauthorized access to those instances with the same privileges as the configured user [1].
Mitigation
No fix is mentioned in the available references [1]. Users should consider upgrading the plugin if a newer version is available, or remove the plugin if not needed.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:build-publisherMaven | < 1.22 | 1.22 |
Affected products
2- Range: <=1.21
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-m3wv-fr8v-fmh7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-1000387ghsaADVISORY
- www.securityfocus.com/bid/101544ghsavdb-entryx_refsource_BIDWEB
- jenkins.io/security/advisory/2017-10-23ghsaWEB
- jenkins.io/security/advisory/2017-10-23/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.