PT-2018-5182 · Cloudbees+1 · Jenkins

Jesse Glick

Published

2018-01-26

Updated

2022-05-13

CVE-2017-1000400

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.73.1 and earlier, 2.83 and earlier

Description The issue concerns the remote API at "/job/(job-name)/api" which contained information about upstream and downstream projects, including tasks that the current user otherwise has no access to due to lack of Item/Read permission.

Recommendations For Jenkins versions 2.73.1 and earlier, 2.83 and earlier, update to a version that includes the fix, which restricts the API to only list upstream and downstream projects that the current user has access to.

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

CVE-2017-1000400

GHSA-P8X8-P473-MMMV

Affected Products

Jenkins

PT-2018-5182 · Cloudbees+1 · Jenkins

CVE-2017-1000400

Weakness Enumeration

Related Identifiers

Affected Products

References · 7