CVE-2018-1000176: Exposure of Sensitive Information to an Unauthorized Actor

May 14, 2022 (updated January 30, 2024)

An exposure of sensitive information vulnerability exists in Jenkins Email Extension Plugin 2.61 and older in src/main/resources/hudson/plugins/emailext/ExtendedEmailPublisher/global.groovy and ExtendedEmailPublisherDescriptor.java that allows attackers with control of a Jenkins administrator’s web browser (e.g. malicious extension) to retrieve the configured SMTP password.

References

github.com/advisories/GHSA-gwxm-wqpq-w539
jenkins.io/security/advisory/2018-04-16/
nvd.nist.gov/vuln/detail/CVE-2018-1000176

Code Behaviors & Features

Detect and mitigate CVE-2018-1000176 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →