Main Vulnerability Database Vulnerabilities #VU31294

Inadequate Encryption Strength in Jenkins - CVE-2017-2598

Published: May 23, 2018 / Updated: July 17, 2020

Vulnerability identifier: #VU31294

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2017-2598

CWE-ID: CWE-326

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Jenkins

Affected software:
Jenkins

Detailed vulnerability description

The vulnerability allows a remote authenticated user to gain access to sensitive information.

Jenkins before versions 2.44, 2.32.2 uses AES ECB block cipher mode without IV for encrypting secrets which makes Jenkins and the stored secrets vulnerable to unnecessary risks (SECURITY-304).

How to mitigate CVE-2017-2598

Install update from vendor's website.

Sources

http://www.securityfocus.com/bid/95948
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2598
https://github.com/jenkinsci/jenkins/commit/e6aa166246d1734f4798a9e31f78842f4c85c28b
https://jenkins.io/security/advisory/2017-02-01/

Inadequate Encryption Strength in Jenkins - CVE-2017-2598

Detailed vulnerability description

How to mitigate CVE-2017-2598

Sources

Please verify you're human