CVE-2018-1000176
Description
An exposure of sensitive information vulnerability exists in Jenkins Email Extension Plugin 2.61 and older in src/main/resources/hudson/plugins/emailext/ExtendedEmailPublisher/global.groovy and ExtendedEmailPublisherDescriptor.java that allows attackers with control of a Jenkins administrator's web browser (e.g. malicious extension) to retrieve the configured SMTP password.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Email Extension Plugin 2.61 and older transmits SMTP password in plain text in configuration form, exposing it to browser extensions and XSS attacks.
Vulnerability
The Jenkins Email Extension Plugin stores the SMTP password encrypted on disk, but transmits it in plain text as part of the global configuration form. This affects versions 2.61 and older [1][2]. The vulnerability exists in the ExtendedEmailPublisherDescriptor.java and the global configuration view global.groovy.
Exploitation
An attacker must have control over a Jenkins administrator's web browser, e.g., through a malicious browser extension or by exploiting a cross-site scripting vulnerability. The attacker can then view the configuration form and retrieve the SMTP password in plain text [2].
Impact
Successful exploitation allows the attacker to obtain the SMTP password configured for the Email Extension Plugin. This could enable the attacker to send emails as the Jenkins instance, potentially for phishing or further compromise [1][2].
Mitigation
Update the Email Extension Plugin to version 2.62 or later, released on 2018-04-16 [2]. After updating, the password is encrypted when transmitted to the configuration form.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:email-extMaven | < 2.62 | 2.62 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-gwxm-wqpq-w539ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-1000176ghsaADVISORY
- jenkins.io/security/advisory/2018-04-16ghsaWEB
- jenkins.io/security/advisory/2018-04-16/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.