CVE-2017-1000395

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.73.1 and earlier, 2.83 and earlier

Description The issue allows access to information about Jenkins user accounts, including email addresses if the Mailer Plugin is installed, via the "user/(username)/api" remote API endpoint. This information is available to anyone with Overall/Read permissions. The API endpoint now only includes basic user information, such as user ID and name, unless the requesting user is a Jenkins administrator.

Recommendations For Jenkins versions 2.73.1 and earlier, 2.83 and earlier, update to a version that restricts access to user information via the remote API, ensuring that only basic user details are accessible to non-administrative users.