{"id":"CVE-2018-1000421","details":"An improper authorization vulnerability exists in Jenkins Mesos Plugin 0.17.1 and earlier in MesosCloud.java that allows attackers with Overall/Read access to initiate a test connection to an attacker-specified Mesos server with attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.","aliases":["GHSA-5q7j-8hpc-4848"],"modified":"2026-04-10T04:03:24.904026Z","published":"2019-01-09T23:29:02.810Z","references":[{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/106532"},{"type":"ADVISORY","url":"https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1013%20%282%29"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jenkinsci/mesos-plugin","events":[{"introduced":"0"},{"last_affected":"fc5c1051618acad65c317939eaae92b5f5a7d6cf"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"0.17.1"}]}}],"versions":["mesos-0.1.1","mesos-0.10.0","mesos-0.10.0-beta-1","mesos-0.10.0-beta-2","mesos-0.10.0-beta-3","mesos-0.10.0-beta-4","mesos-0.10.1","mesos-0.11.0","mesos-0.12.0","mesos-0.12.0-beta-1","mesos-0.12.1-alpha-1","mesos-0.13.0","mesos-0.13.0-beta-1","mesos-0.13.1","mesos-0.13.1-beta-1","mesos-0.14.0","mesos-0.14.1","mesos-0.15.0","mesos-0.15.1","mesos-0.16","mesos-0.17","mesos-0.17.1","mesos-0.2.0","mesos-0.3.0","mesos-0.4.0","mesos-0.5.0","mesos-0.6.0","mesos-0.7.0","mesos-0.8.0","mesos-0.9.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-1000421.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"}]}