PT-2018-5182 · Cloudbees+1 · Jenkins

Jesse Glick

Publicado

2018-01-26

Atualizado

2022-05-13

CVE-2017-1000400

CVSS v3.1

4.3

Média

Vetor

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.73.1 and earlier, 2.83 and earlier

Description The issue concerns the remote API at "/job/(job-name)/api" which contained information about upstream and downstream projects, including tasks that the current user otherwise has no access to due to lack of Item/Read permission.

Recommendations For Jenkins versions 2.73.1 and earlier, 2.83 and earlier, update to a version that includes the fix, which restricts the API to only list upstream and downstream projects that the current user has access to.

Correção

Missing Authorization

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-862

Identificadores relacionados

CVE-2017-1000400

GHSA-P8X8-P473-MMMV

Produtos afetados

Jenkins

PT-2018-5182 · Cloudbees+1 · Jenkins

CVE-2017-1000400

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 7