CVE-2017-1000354

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.56 and earlier Jenkins version 2.46.1 LTS and earlier

Description The issue allows impersonating any Jenkins user through a login command. The login command in the remoting-based CLI stores the encrypted user name of the successfully authenticated user in a cache file used for further command authentication. Users with sufficient permission to create secrets in Jenkins and download their encrypted values can impersonate any other Jenkins user on the same instance.

Recommendations For Jenkins versions 2.56 and earlier, update to a version later than 2.56 to resolve the issue. For Jenkins version 2.46.1 LTS and earlier, update to a version later than 2.46.1 LTS to resolve the issue. As a temporary workaround, consider restricting the permission to create secrets in Jenkins and download their encrypted values to minimize the risk of exploitation.