VYPR
← All advisories
Low severityNVD Advisory· Published Aug 1, 2018· Updated Sep 16, 2024

CVE-2018-1999036

CVE-2018-1999036

Description

An exposure of sensitive information vulnerability exists in Jenkins SSH Agent Plugin 1.15 and earlier in SSHAgentStepExecution.java that exposes the SSH private key password to users with permission to read the build log.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins SSH Agent Plugin 1.15 and earlier logs the SSH key passphrase in plain text when the sshagent step is used inside a withDockerContainer block, exposing it to users with build log access.

Vulnerability

The Jenkins SSH Agent Plugin, versions 1.15 and earlier, contains an information exposure vulnerability in SSHAgentStepExecution.java. When the sshagent step is used inside a withDockerContainer block in a Pipeline, the resulting logging of the ssh-add command includes the SSH private key passphrase in plain text [1]. The affected code path is reachable whenever a Pipeline job uses the sshagent step within a Docker container context [4].

Exploitation

An attacker needs the Overall/Read permission or any permission that allows reading the build log of a Pipeline job that uses the vulnerable combination of sshagent inside withDockerContainer. The attacker can then view the build log to retrieve the plain-text passphrase of the SSH key used in the step [1][2]. No additional authentication or user interaction is required beyond logging into Jenkins with permission to read the relevant build log.

Impact

Successful exploitation results in the disclosure of the SSH private key passphrase, which is a sensitive credential. An attacker who obtains the passphrase may be able to use it with the corresponding private key file to authenticate to remote systems, leading to potential compromise of downstream infrastructure. The exposure is limited to the specific build log and does not directly grant code execution within Jenkins [1][2].

Mitigation

The vulnerability is fixed in SSH Agent Plugin version 1.16, released on or around 2018-07-30 as part of the Jenkins security advisory [1]. The fix stops logging the ssh-add invocation that would reveal the passphrase. The fix is visible in commit 3a8abe1 [3]. Users should update to version 1.16 or later. No workaround is available for affected versions; the only mitigation is to upgrade the plugin [1][2].

References
  1. Jenkins Security Advisory 2018-07-30
  2. NVD - CVE-2018-1999036
  3. [SECURITY-704] · jenkinsci/ssh-agent-plugin@3a8abe1
  4. GitHub - jenkinsci/ssh-agent-plugin: SSH Agent Plugin

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.jenkins-ci.plugins:ssh-agentMaven
< 1.161.16

Affected products

2

Patches

1
3a8abe1889d2

[SECURITY-704]

https://github.com/jenkinsci/ssh-agent-pluginJesse GlickJul 23, 2018via ghsa
commit
4 files changed · +106 47
  • pom.xml+55 40 modified
    @@ -29,7 +29,7 @@
   <parent>
     <groupId>org.jenkins-ci.plugins</groupId>
     <artifactId>plugin</artifactId>
-    <version>2.21</version>
+    <version>3.17</version>
     <relativePath />
   </parent>
 
@@ -55,10 +55,6 @@
     </developer>
   </developers>
 
-  <prerequisites>
-    <maven>2.2.1</maven>
-  </prerequisites>
-
   <scm>
     <connection>scm:git:git://github.com/jenkinsci/ssh-agent-plugin.git</connection>
     <developerConnection>scm:git:git@github.com:jenkinsci/ssh-agent-plugin.git</developerConnection>
@@ -67,9 +63,9 @@
   </scm>
 
   <properties>
-    <jenkins.version>1.609.3</jenkins.version>
-    <java.level>7</java.level> <!-- sshd-core is 7+ -->
-    <workflow-jenkins-plugin.version>1.14.2</workflow-jenkins-plugin.version>
+    <jenkins.version>2.60.3</jenkins.version>
+    <java.level>8</java.level>
+    <workflow-support-plugin.version>2.18</workflow-support-plugin.version>
   </properties>
 
   <repositories>
@@ -97,18 +93,6 @@
       <artifactId>tomcat-apr</artifactId>
       <version>5.5.23</version>
     </dependency>
-    <dependency>
-      <groupId>org.slf4j</groupId>
-      <artifactId>slf4j-api</artifactId>
-      <version>1.7.7</version>
-      <scope>provided</scope>
-    </dependency>
-    <dependency>
-      <groupId>org.slf4j</groupId>
-      <artifactId>slf4j-jdk14</artifactId>
-      <version>1.7.7</version>
-      <scope>provided</scope>
-    </dependency>
     <dependency>
       <groupId>com.cloudbees.util</groupId>
       <artifactId>jnr-unixsocket-nodep</artifactId>
@@ -117,72 +101,103 @@
     <dependency>
       <groupId>org.jenkins-ci.plugins.workflow</groupId>
       <artifactId>workflow-step-api</artifactId>
-      <version>${workflow-jenkins-plugin.version}</version>
+      <version>2.16</version>
     </dependency>
 
     <!-- plugin dependencies -->
     <dependency>
       <groupId>org.jenkins-ci.plugins</groupId>
       <artifactId>credentials</artifactId>
-      <version>2.1.1</version>
+      <version>2.1.17</version>
     </dependency>
     <dependency>
       <groupId>org.jenkins-ci.plugins</groupId>
       <artifactId>ssh-credentials</artifactId>
-      <version>1.11</version>
+      <version>1.14</version>
     </dependency>
     <dependency>
       <groupId>org.jenkins-ci.plugins</groupId>
       <artifactId>bouncycastle-api</artifactId>
-      <version>1.0.2</version>
+      <version>2.16.3</version>
     </dependency>
     <!-- jenkins dependencies -->
     <!-- test dependencies -->
+    <dependency>
+      <groupId>org.jenkins-ci.plugins.workflow</groupId>
+      <artifactId>workflow-api</artifactId>
+      <version>2.27</version>
+      <scope>test</scope>
+    </dependency>
     <dependency>
       <groupId>org.jenkins-ci.plugins.workflow</groupId>
       <artifactId>workflow-job</artifactId>
-      <version>${workflow-jenkins-plugin.version}</version>
+      <version>2.12.2</version>
       <scope>test</scope>
     </dependency>
     <dependency>
       <groupId>org.jenkins-ci.plugins.workflow</groupId>
       <artifactId>workflow-basic-steps</artifactId>
-      <version>${workflow-jenkins-plugin.version}</version>
+      <version>2.8</version>
       <scope>test</scope>
     </dependency>
     <dependency>
       <groupId>org.jenkins-ci.plugins.workflow</groupId>
       <artifactId>workflow-durable-task-step</artifactId>
-      <version>${workflow-jenkins-plugin.version}</version>
+      <version>2.19</version>
       <scope>test</scope>
     </dependency>
     <dependency>
       <groupId>org.jenkins-ci.plugins.workflow</groupId>
       <artifactId>workflow-cps</artifactId>
-      <version>${workflow-jenkins-plugin.version}</version>
+      <version>2.45</version>
       <scope>test</scope>
     </dependency>
     <dependency>
       <groupId>org.jenkins-ci.plugins.workflow</groupId>
       <artifactId>workflow-support</artifactId>
-      <version>${workflow-jenkins-plugin.version}</version>
+      <version>${workflow-support-plugin.version}</version>
+      <scope>test</scope>
+     </dependency>
+    <dependency>
+      <groupId>org.jenkins-ci.plugins.workflow</groupId>
+      <artifactId>workflow-support</artifactId>
+      <version>${workflow-support-plugin.version}</version>
       <classifier>tests</classifier>
       <scope>test</scope>
      </dependency>
-    <dependency> <!-- TODO Jenkins sshd (1.6) depends on sshd-core 0.8, which is incompatible with 1.0 -->
-      <groupId>org.jenkins-ci.main</groupId>
-      <artifactId>jenkins-war</artifactId>
-      <version>${jenkins.version}</version>
-      <classifier>war-for-test</classifier>
+    <dependency>
+      <groupId>org.jenkins-ci.plugins</groupId>
+      <artifactId>docker-workflow</artifactId>
+      <version>1.17</version>
       <scope>test</scope>
-      <exclusions>
-        <exclusion>
-          <groupId>org.jenkins-ci.modules</groupId>
-          <artifactId>sshd</artifactId>
-        </exclusion>
-      </exclusions>
     </dependency>
   </dependencies>
+  <dependencyManagement>
+    <dependencies>
+      <dependency>
+        <groupId>org.jenkins-ci.plugins</groupId>
+        <artifactId>structs</artifactId>
+        <version>1.14</version>
+      </dependency>
+      <dependency>
+        <groupId>org.jenkins-ci</groupId>
+        <artifactId>symbol-annotation</artifactId>
+        <version>1.14</version>
+      </dependency>
+      <dependency>
+        <groupId>org.jenkins-ci.plugins</groupId>
+        <artifactId>script-security</artifactId>
+        <version>1.44</version>
+        <scope>test</scope>
+      </dependency>
+      <dependency>
+        <groupId>org.jenkins-ci.plugins</groupId>
+        <artifactId>scm-api</artifactId>
+        <version>2.2.7</version>
+        <scope>test</scope>
+      </dependency>
+    </dependencies>
+  </dependencyManagement>
 
   <build>
     <plugins>
  • src/main/java/com/cloudbees/jenkins/plugins/sshagent/exec/ExecRemoteAgent.java+5 1 modified
    @@ -105,7 +105,11 @@ public void addIdentity(String privateKey, final String passphrase, String comme
                     env.put("DISPLAY", ":0"); // just to force using SSH_ASKPASS
                     env.put("SSH_ASKPASS", askpass.getRemote());
                 }
-                if (launcher.launch().cmds("ssh-add", keyFile.getRemote()).envs(env).stdout(listener).start().joinWithTimeout(1, TimeUnit.MINUTES, listener) != 0) {
+                
+                // as the next command is in quiet mode, we just add a message to the log
+                launcher.getListener().getLogger().println("Running ssh-add (command line suppressed)");
+                
+                if (launcher.launch().quiet(true).cmds("ssh-add", keyFile.getRemote()).envs(env).stdout(listener).start().joinWithTimeout(1, TimeUnit.MINUTES, listener) != 0) {
                     throw new AbortException("Failed to run ssh-add");
                 }
             } finally {
  • src/main/java/com/cloudbees/jenkins/plugins/sshagent/SSHAgentStepExecution.java+1 1 modified
    @@ -63,7 +63,7 @@ public boolean start() throws Exception {
         initRemoteAgent();
         context.newBodyInvoker().
                 withContext(EnvironmentExpander.merge(getContext().get(EnvironmentExpander.class), new ExpanderImpl(this))).
-                withCallback(new Callback(this)).withDisplayName(null).start();
+                withCallback(new Callback(this)).start();
         return false;
     }
  • src/test/java/com/cloudbees/jenkins/plugins/sshagent/SSHAgentStepWorkflowTest.java+45 5 modified
    @@ -5,10 +5,10 @@
 import com.cloudbees.plugins.credentials.CredentialsProvider;
 import com.cloudbees.plugins.credentials.CredentialsScope;
 import com.cloudbees.plugins.credentials.SystemCredentialsProvider;
-import com.cloudbees.plugins.credentials.domains.Domain;
-import hudson.Util;
+import hudson.Launcher;
 import hudson.model.Fingerprint;
-import hudson.util.Secret;
+import hudson.util.StreamTaskListener;
+import java.io.IOException;
 import org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition;
 import org.jenkinsci.plugins.workflow.cps.CpsFlowExecution;
 import org.jenkinsci.plugins.workflow.job.WorkflowJob;
@@ -26,14 +26,17 @@
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Scanner;
-import java.util.regex.Matcher;
+import java.util.concurrent.TimeUnit;
 import java.util.regex.Pattern;
 
-import static org.hamcrest.CoreMatchers.is;
+import static org.hamcrest.Matchers.is;
 import static org.hamcrest.core.IsCollectionContaining.hasItem;
 import static org.hamcrest.core.IsNull.notNullValue;
 import static org.hamcrest.core.IsNull.nullValue;
+import org.jenkinsci.plugins.docker.commons.tools.DockerTool;
+import org.jenkinsci.plugins.docker.workflow.client.DockerClient;
 import static org.junit.Assert.*;
+import static org.junit.Assume.*;
 
 public class SSHAgentStepWorkflowTest extends SSHAgentBase {
 
@@ -191,4 +194,41 @@ public void evaluate() throws Throwable {
             }
         });
     }
+
+    @Issue("SECURITY-704")
+    @Test
+    public void sshAgentDocker() throws Exception {
+        story.then(r -> {
+            // From org.jenkinsci.plugins.docker.workflow.DockerTestUtil:
+            Launcher.LocalLauncher localLauncher = new Launcher.LocalLauncher(StreamTaskListener.NULL);
+            try {
+                assumeThat("Docker working", localLauncher.launch().cmds(DockerTool.getExecutable(null, null, null, null), "ps").start().joinWithTimeout(DockerClient.CLIENT_TIMEOUT, TimeUnit.SECONDS, localLauncher.getListener()), is(0));
+            } catch (IOException x) {
+                assumeNoException("have Docker installed", x);
+            }
+
+            List<String> credentialIds = new ArrayList<String>();
+            credentialIds.add(CREDENTIAL_ID);
+
+            SSHUserPrivateKey key = new BasicSSHUserPrivateKey(CredentialsScope.GLOBAL, credentialIds.get(0), "x",
+                    new BasicSSHUserPrivateKey.DirectEntryPrivateKeySource(getPrivateKey()), "cloudbees", "test");
+            SystemCredentialsProvider.getInstance().getCredentials().add(key);
+            SystemCredentialsProvider.getInstance().save();
+
+            WorkflowJob job = r.createProject(WorkflowJob.class, "sshAgentDocker");
+            job.setDefinition(new CpsFlowDefinition(""
+                + "node('" + r.createSlave().getNodeName() + "') {\n"
+                + "  withDockerContainer('kroniak/ssh-client') {\n"
+                + "    sh 'ssh-agent -k || :'\n"
+                + "    sshagent(credentials: ['" + CREDENTIAL_ID + "']) {\n"
+                + "      sh 'env'\n"
+                + "    }\n"
+                + "  }\n"
+                + "}\n", true)
+            );
+            WorkflowRun b = r.buildAndAssertSuccess(job);
+            r.assertLogNotContains("cloudbees", b);
+        });
+    }
+
 }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.