CVE-2018-1000425: Insufficiently Protected Credentials

May 13, 2022 (updated January 30, 2024)

An insufficiently protected credentials vulnerability exists in Jenkins SonarQube Scanner Plugin 2.8 and earlier in SonarInstallation.java that allows attackers with local file system access to obtain the credentials used to connect to SonarQube.

References

www.securityfocus.com/bid/106532
github.com/advisories/GHSA-3ccq-gccx-pm7j
jenkins.io/security/advisory/2018-09-25/
nvd.nist.gov/vuln/detail/CVE-2018-1000425

Detect and mitigate CVE-2018-1000425 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →