CVE-2018-1000142

Vulnerability

GitHub Pull Request Builder Plugin (ghprb) versions 1.39.0 and older store serialized objects in build.xml files that contain the GitHub access token used to poll Jenkins [1][2]. This allows users with access to the Jenkins controller file system to retrieve GitHub credentials.

Exploitation

An attacker needs local file system access to the Jenkins controller to read the build.xml files where the serialized credential is stored. No special authentication or user interaction is required beyond having file read permissions on the Jenkins master.

Impact

Successful exploitation results in exposure of GitHub credentials (access tokens) stored by the plugin, allowing the attacker to impersonate the Jenkins instance on GitHub, potentially accessing private repositories or performing unauthorized actions.

Mitigation

The vulnerability is fixed in GitHub Pull Request Builder Plugin version 1.40.0, which no longer stores serialized objects containing the credential on disk [2]. Users should upgrade to version 1.40.0 or later. The plugin is deprecated and replaced by the GitHub Branch Source Plugin; migration is recommended [1].