PT-2017-10809 · Jenkins · Jenkins Config File Provider Plugin+1

Thanh Ha

Published

2017-10-04

Updated

2022-05-13

CVE-2017-1000104

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Jenkins Config File Provider Plugin (affected versions not specified)

Description The issue concerns the Config File Provider Plugin, which is used for central management of configuration files that may include sensitive information like passwords. It was discovered that users with only read access to Jenkins could directly access URLs to view these files. Now, viewing these files requires sufficient permissions, such as the ability to configure the provided files, view the configuration of the folder where the files are defined, or having job configuration permissions for a job that uses these files.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Improper Privilege Management

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-269

Related Identifiers

CVE-2017-1000104

GHSA-6H72-M3XW-FP3C

Affected Products

Jenkins

Jenkins Config File Provider Plugin

PT-2017-10809 · Jenkins · Jenkins Config File Provider Plugin+1

CVE-2017-1000104

Weakness Enumeration

Related Identifiers

Affected Products

References · 4