CVE-2018-1000143

Vulnerability

Jenkins GitHub Pull Request Builder Plugin version 1.39.0 and earlier exposes the webhook secret shared between Jenkins and GitHub in plain text ([1], [2]). The sensitive data is stored in an unencrypted format accessible via GhprbCause.java and related files on disk ([1]). No special configuration beyond running an affected version is required for this code path to be reachable.

Exploitation

An attacker with local file system access to the Jenkins controller (e.g., a user with read permission on the Jenkins server file system) can retrieve the plain-text webhook secret ([1]). Jenkins administrators who can access the configuration UI may also expose the secret through browser extensions or cross-site scripting vulnerabilities ([1]). The exploit requires no additional authentication or user interaction beyond having the necessary file system or administrative access.

Impact

Successful exploitation allows the attacker to obtain the GitHub webhook secret ([1], [2]). This secret can then be used to impersonate Jenkins to GitHub, potentially forging webhook notifications, gaining unauthorized access to repository data, or performing other actions that rely on the shared secret. The scope of compromise is limited to the capability that the secret provides.

Mitigation

A fix was introduced in Jenkins GitHub Pull Request Builder Plugin version 1.40.0, which no longer stores the webhook secret in plain text but encrypts it on disk ([1]). As of version 1.32.1 and newer, the plugin already stores the webhook secret encrypted ([1]); however, the official advisory marks 1.40.0 as the fixed version for this specific vulnerability ([1]). Users should upgrade to 1.40.0 or later. If an upgrade is not possible, restrict local file system access to the Jenkins controller and limit administrative privileges. The vulnerability is listed in CISA KEV (Known Exploited Vulnerabilities) — CVE-2018-1000143 is part of KEV as of 2022-02-15.