Analyst readout for executives and security teams
Plain-English summary
This vulnerability affects Jenkins installations using the Inedo BuildMaster Plugin 1.3 or earlier. It could let an attacker positioned between Jenkins and a connected service impersonate that service. The sources do not provide CVSS, patch details, or evidence of active exploitation.
Executive priority
Treat as a targeted Jenkins supply-chain and CI/CD exposure review item, not a confirmed emergency. Prioritize environments where Jenkins handles deployment credentials or reaches sensitive internal services.
Technical view
CVE-2018-1999035 is described as a man-in-the-middle flaw in BuildMasterConfiguration.java, BuildMasterConfig.java, and BuildMasterApi.java. The impact is service impersonation for services Jenkins connects to through the affected plugin. The provided data lacks CWE, CVSS, and explicit remediation details.
Likely exposure
Exposure is limited to Jenkins environments with the Inedo BuildMaster Plugin version 1.3 or earlier installed and configured to connect to BuildMaster or related services.
Exploitation context
The source bundle does not indicate active exploitation, and the CVE is not listed as KEV. Practical risk depends on network positioning between Jenkins and connected services.
Researcher notes
Evidence is sparse in the provided bundle. The key claim is service impersonation via MITM in the Jenkins Inedo BuildMaster Plugin 1.3 and earlier. No exploit status, CVSS vector, CWE, or fixed version is included.
Mitigation direction
- Inventory Jenkins instances for Inedo BuildMaster Plugin version 1.3 or earlier.
- Check the Jenkins advisory and vendor guidance for supported update or removal options.
- Disable or remove the plugin where the BuildMaster integration is not required.
- Restrict Jenkins outbound connectivity to trusted service endpoints where feasible.
Validation and detection
- Review Jenkins plugin inventory for Inedo BuildMaster Plugin versions.
- Identify jobs or global settings that use BuildMaster service connections.
- Confirm affected Jenkins instances are not using version 1.3 or earlier.
- Document whether Jenkins can reach only expected service endpoints.
Public sources used
Based on public source material and reviewed before publication.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CVE-2018-1999035 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Unknown
- CVSS
- Not scored
- Known Exploited
- No
- Published
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS and timeline data
No CVSS vectors or timeline events were available in the normalized CVE source material.
Source materials
- CVE List V5 sourceCVE List V5
- https://jenkins.io/security/advisory/2018-07-30/#SECURITY-935CVE reference · x_refsource_CONFIRM
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
