Main Vulnerability Database Vulnerabilities #VU31305

Improper Authentication in Jenkins - CVE-2017-2604

Published: May 15, 2018 / Updated: July 17, 2020

Vulnerability identifier: #VU31305

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2017-2604

CWE-ID: CWE-287

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Jenkins

Affected software:
Jenkins

Detailed vulnerability description

The vulnerability allows a remote authenticated user to manipulate data.

In Jenkins before versions 2.44, 2.32.2 low privilege users were able to act on administrative monitors due to them not being consistently protected by permission checks (SECURITY-371).

How to mitigate CVE-2017-2604

Install update from vendor's website.

Sources

http://www.securityfocus.com/bid/95959
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2604
https://github.com/jenkinsci/jenkins/commit/6efcf6c2ac39bc5c59ac7251822be8ddf67ceaf8
https://jenkins.io/security/advisory/2017-02-01/

Improper Authentication in Jenkins - CVE-2017-2604

Detailed vulnerability description

How to mitigate CVE-2017-2604

Sources

Please verify you're human