PT-2018-7132 · Cloudbees+1 · Jenkins

James Dumay

Published

2018-05-08

Updated

2022-05-13

CVE-2017-2606

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions: Jenkins versions prior to 2.44 Jenkins versions prior to 2.32.2

Description: The issue is related to an information exposure in the internal API, allowing access to item names that should not be visible. This affects anonymous users who were able to get a list of items via an UnprotectedRootAction. Other users have legitimate access to this information.

Recommendations: For versions prior to 2.44, update to version 2.44 or later. For versions prior to 2.32.2, update to version 2.32.2 or later.

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

CVE-2017-2606

GHSA-6967-9VVV-4CMM

Affected Products

Jenkins

PT-2018-7132 · Cloudbees+1 · Jenkins

CVE-2017-2606

Weakness Enumeration

Related Identifiers

Affected Products

References · 8