PT-2018-5183 · Jenkins · Jenkins

Ben Walding

Publicado

2018-01-26

Atualizado

2022-05-14

CVE-2017-1000401

CVSS v3.1

2.2

Baixa

Vetor

AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.73.1 and earlier, 2.83 and earlier

Description The default form control for passwords and other secrets in Jenkins supports form validation, which could potentially log secrets to HTTP access logs in non-default configurations. This issue arises because form validation AJAX requests were sent via GET. Form validation is now sent via POST, which is typically not logged.

Recommendations For Jenkins versions 2.73.1 and earlier, 2.83 and earlier, update the form validation to send requests via POST to prevent secrets from being logged to HTTP access logs.

Correção

RCE

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-20

Identificadores relacionados

CVE-2017-1000401

GHSA-H8C5-C92G-JQ6X

Produtos afetados

Jenkins

PT-2018-5183 · Jenkins · Jenkins

CVE-2017-1000401

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 7