CVE-2018-1000609

Vulnerability

The Jenkins Configuration as Code Plugin, in versions 0.7-alpha and earlier, suffers from an information exposure vulnerability in the ConfigurationAsCode.java file. This allows any authenticated user with the Overall/Read permission to retrieve the YAML export of the entire Jenkins configuration, including sensitive data such as credentials, secrets, and other configuration parameters. The vulnerability exists because the method that serves the YAML export does not perform an additional permission check beyond the standard Overall/Read access, which is typically granted to a wide range of users [1][2].

Exploitation

An attacker must have a Jenkins account with at least Overall/Read permission, which is often the default for authenticated users. No other special privileges or user interaction are required. The attacker can simply navigate to the YAML export endpoint or send a crafted HTTP request to retrieve the configuration file. The available references do not provide further technical details on the exact URL or request parameters required [1][2].

Impact

Successful exploitation leads to the disclosure of sensitive information contained in the Jenkins configuration. This includes credentials, API tokens, secret keys, and other security-sensitive settings. The exposed data could be used by an attacker to gain further unauthorized access, escalate privileges, or compromise the integrity of the Jenkins environment. The CVSS v3.1 base score is 5.3 (Medium) with a vector of AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N [2].

Mitigation

The vulnerability is fixed in the Jenkins Configuration as Code Plugin version 0.8-alpha and later, released on 2018-06-25 [1]. Users should upgrade to version 0.8-alpha or newer as soon as possible. For users unable to upgrade, no workaround has been provided in the available references. The plugin does not appear on the CISA Known Exploited Vulnerabilities (KEV) catalog [1][2].