CVE-2017-1000114

The Datadog Plugin stores an API key to access the Datadog service in the global Jenkins configuration. While the API key is stored encrypted on disk, it was transmitted in plain text as part of the configuration form. This could result in exposure of the API key for example through browser extensions or cross-site scripting vulnerabilities. The Datadog Plugin now encrypts the API key transmitted to administrators viewing the global configuration form.

CVSS v3 3.1 LOW
CVSS v2.0 4.3 MEDIUM

3.1^/10

CVSS v3 : LOW

Vector : AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

Exploitability : 1.6 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:N/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://www.securityfocus.com/bid/100223	Third Party Advisory VDB Entry
https://jenkins.io/security/advisory/2017-08-07/	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:jenkins:datadog:*:*:*:*:*:jenkins:*:*

History

No history.

Information

Published : 2017-10-05 01:29

Updated : 2023-12-10 12:15

NVD link : CVE-2017-1000114

Mitre link : CVE-2017-1000114

CVE.ORG link : CVE-2017-1000114

JSON object : View

Products Affected

jenkins

datadog

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2017-1000114", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 3.1, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 1.6}]}, "published": "2017-10-05T01:29:04.540", "references": [{"url": "http://www.securityfocus.com/bid/100223", "tags": ["Third Party Advisory", "VDB Entry"], "source": "cve@mitre.org"}, {"url": "https://jenkins.io/security/advisory/2017-08-07/", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "The Datadog Plugin stores an API key to access the Datadog service in the global Jenkins configuration. While the API key is stored encrypted on disk, it was transmitted in plain text as part of the configuration form. This could result in exposure of the API key for example through browser extensions or cross-site scripting vulnerabilities. The Datadog Plugin now encrypts the API key transmitted to administrators viewing the global configuration form."}, {"lang": "es", "value": "El plugin Datadog almacena una clave API para acceder al servicio Datadog en la configuraci\u00f3n global de Jenkins. Mientras la clave API se almacena cifrada en el disco, se transmit\u00eda en texto plano como parte del formulario de configuraci\u00f3n. Esto podr\u00eda provocar la exposici\u00f3n de la clave API, por ejemplo mediante extensiones de navegadores o vulnerabilidades de Cross-Site Scripting (XSS). Ahora el plugin Datadog cifra la clave API que se transmite a los administradores que est\u00e1n viendo el formulario de configuraci\u00f3n global."}], "lastModified": "2017-10-17T16:28:14.470", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:datadog:*:*:*:*:*:jenkins:*:*", "vulnerable": true, "matchCriteriaId": "2AC9981F-EB61-4D20-A5A2-31A94529223D", "versionEndIncluding": "0.5.6"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}