PT-2018-5177 · Cloudbees+1 · Jenkins+1

Ananthapadmanabhan S R

Published

2018-01-26

Updated

2022-05-14

CVE-2017-1000395

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.73.1 and earlier, 2.83 and earlier

Description The issue allows access to information about Jenkins user accounts, including email addresses if the Mailer Plugin is installed, via the "user/(username)/api" remote API endpoint. This information is available to anyone with Overall/Read permissions. The API endpoint now only includes basic user information, such as user ID and name, unless the requesting user is a Jenkins administrator.

Recommendations For Jenkins versions 2.73.1 and earlier, 2.83 and earlier, update to a version that restricts access to user information via the remote API, ensuring that only basic user details are accessible to non-administrative users.

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

CVE-2017-1000395

GHSA-WQV4-9GR3-3QGH

Affected Products

Jenkins

Mailer Plugin

PT-2018-5177 · Cloudbees+1 · Jenkins+1

CVE-2017-1000395

Weakness Enumeration

Related Identifiers

Affected Products

References · 6