Main Vulnerability Database Vulnerabilities #VU31307

Information disclosure in Jenkins - CVE-2017-2600

Published: May 15, 2018 / Updated: July 17, 2020

Vulnerability identifier: #VU31307

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2017-2600

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Jenkins

Affected software:
Jenkins

Detailed vulnerability description

The vulnerability allows a remote authenticated user to gain access to sensitive information.

In jenkins before versions 2.44, 2.32.2 node monitor data could be viewed by low privilege users via the remote API. These included system configuration and runtime information of these nodes (SECURITY-343).

How to mitigate CVE-2017-2600

Install update from vendor's website.

Sources

http://www.securityfocus.com/bid/95954
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2600
https://github.com/jenkinsci/jenkins/commit/0f92cd08a19207de2cceb6a2f4e3e9f92fdc0899
https://jenkins.io/security/advisory/2017-02-01/

Information disclosure in Jenkins - CVE-2017-2600

Detailed vulnerability description

How to mitigate CVE-2017-2600

Sources

Please verify you're human