PT-2018-5183 · Jenkins · Jenkins

Ben Walding

Published

2018-01-26

Updated

2022-05-14

CVE-2017-1000401

CVSS v3.1

2.2

Low

Vector

AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.73.1 and earlier, 2.83 and earlier

Description The default form control for passwords and other secrets in Jenkins supports form validation, which could potentially log secrets to HTTP access logs in non-default configurations. This issue arises because form validation AJAX requests were sent via GET. Form validation is now sent via POST, which is typically not logged.

Recommendations For Jenkins versions 2.73.1 and earlier, 2.83 and earlier, update the form validation to send requests via POST to prevent secrets from being logged to HTTP access logs.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

CVE-2017-1000401

GHSA-H8C5-C92G-JQ6X

Affected Products

Jenkins

PT-2018-5183 · Jenkins · Jenkins

CVE-2017-1000401

Weakness Enumeration

Related Identifiers

Affected Products

References · 7