Main Vulnerability Database Vulnerabilities #VU31299

Information disclosure in Jenkins - CVE-2017-2609

Published: May 22, 2018 / Updated: July 17, 2020

Vulnerability identifier: #VU31299

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2017-2609

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Jenkins

Affected software:
Jenkins

Detailed vulnerability description

The vulnerability allows a remote authenticated user to gain access to sensitive information.

jenkins before versions 2.44, 2.32.2 is vulnerable to an information disclosure vulnerability in search suggestions (SECURITY-385). The autocomplete feature on the search box discloses the names of the views in its suggestions, including the ones for which the current user does not have access to.

How to mitigate CVE-2017-2609

Install update from vendor's website.

Sources

http://www.securityfocus.com/bid/95964
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2609
https://github.com/jenkinsci/jenkins/commit/13905d8224899ba7332fe9af4e330ea96a2ae319

Information disclosure in Jenkins - CVE-2017-2609

Detailed vulnerability description

How to mitigate CVE-2017-2609

Sources

Please verify you're human