This issue is due to a vulnerability in the HttpClient plugin which can be exploited by malicious administrators to connect to an arbitrary HTTP server and capture credentials stored in Jenkins. This issue has been assigned the CVE identifier CVE-2018-10938. A list of affected software and the severity of the issue can be found in the table below. A full list of affected software and the severity of the issue can be found in the table below. Software versions | Version and severity

(out of 5) |

Atlassian Bamboo

| 1.8 and earlier | High

| 1.9 and earlier | High

| 1.10 and earlier | High

| 1.11 and earlier | High

| 1.12 and earlier | High

| Confluence

| 5.5 and earlier | High

| 5.6 and earlier | High

| 5.7 and earlier | High

| 5.8 and earlier | High

| 5.9 and earlier | High

| 5.10 and earlier | High

| 5.11 and earlier | High

| 5.12 and earlier | High

| Elasticsearch

| 5.6 and earlier | High

| 5.7 and earlier | High

| 5.8 and earlier | High

| 5.9 and earlier | High

| 5.10 and earlier | High

How do I check if my version is affected?

For a list of affected software and the severity of the issue, you can use the table below.
Software versions | Version and severity
(out of 5) |
Atlassian Bamboo
| 1.8 and earlier | High
| 1.9 and earlier | High
| 1.10 and earlier | High
| 1.11 and earlier | High
| 1.12 and earlier | High
| Confluence
| 5.5 and earlier | High
| 5.6 and earlier | High
| 5.7 and earlier | High
| 5.8 and earlier | High
| 5.9 and earlier | High
| 5.10 and earlier | High

HttpClient Plugin

The HttpClient plugin has been found to be vulnerable to CVE-2018-10938, which can be exploited by malicious administrators. One way this exploit can happen is if a user visits an external website with a malicious URL that redirects to Jenkins. It’s recommended that users upgrade their HttpClient plugin.

HttpClient plugin

HttpsClient is a plugin that assists with the use of HTTP requests in Jenkins. It contains a HttpClient implementation.

In the HTTP request, this plugin sends an authentication header which has been found to be vulnerable to attack by malicious administrators. This issue has been assigned the CVE identifier CVE-2018-10938.

References https://www.atlassian.com/software/bamboo/versions-and-severities

Timeline

Published on: 09/21/2022 16:15:00 UTC
Last modified on: 09/22/2022 18:38:00 UTC

References