CVE-2018-1000104 in Coverity Plugin
Summary
by MITRE
A plaintext storage of a password vulnerability exists in Jenkins Coverity Plugin 1.10.0 and earlier in CIMInstance.java that allows an attacker with local file system access or control of a Jenkins administrator's web browser (e.g. malicious extension) to retrieve the configured keystore and private key passwords.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/16/2020
The vulnerability identified as CVE-2018-1000104 represents a critical security flaw in the Jenkins Coverity Plugin version 1.10.0 and earlier, where plaintext password storage occurs in the CIMInstance.java file. This issue exposes sensitive authentication credentials that are essential for maintaining secure communication between Jenkins and Coverity scanning systems. The vulnerability stems from improper handling of cryptographic key material within the plugin's configuration files, creating a persistent exposure that can be exploited by threat actors with minimal privileges.
The technical implementation flaw manifests in how the plugin stores authentication credentials in plain text format rather than utilizing proper encryption mechanisms or secure credential management practices. When Jenkins administrators configure the Coverity plugin with keystore and private key passwords, these credentials are written to disk without any form of obfuscation or encryption, making them immediately accessible to any entity with read access to the filesystem or browser session. This design decision directly violates established security principles and creates an attack surface that can be leveraged by adversaries who gain local system access or can execute malicious code within the administrator's browser context.
The operational impact of this vulnerability extends beyond simple credential theft, as it fundamentally undermines the security posture of Jenkins environments that utilize the Coverity plugin. Attackers who successfully exploit this weakness can gain unauthorized access to Coverity scanning systems, potentially leading to data exfiltration, manipulation of scan results, or use of the compromised credentials for lateral movement within the network. The vulnerability is particularly concerning because it requires minimal attack vectors to exploit - either local file system access or browser-based compromise through malicious extensions, both of which are relatively common attack scenarios in modern threat landscapes.
Organizations using the affected Jenkins Coverity Plugin versions should immediately implement mitigation strategies including upgrading to patched versions of the plugin, implementing strict file system access controls, and establishing robust monitoring for unauthorized file access patterns. The vulnerability aligns with CWE-312 (CWE-312: Cleartext Storage of Sensitive Information) and represents a clear violation of security best practices outlined in the OWASP Top Ten and NIST Cybersecurity Framework. Additionally, this issue correlates with ATT&CK technique T1552.001 (Credentials in Files) and demonstrates how insecure credential storage can enable broader compromise within Jenkins environments that may host multiple interconnected security tools and pipelines.