Information disclosure in Jenkins - CVE-2017-2606
Published: May 8, 2018 / Updated: July 17, 2020
Vulnerability identifier: #VU31310
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2017-2606
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Jenkins
Affected software:
Jenkins
Jenkins
Detailed vulnerability description
The vulnerability allows a remote authenticated user to gain access to sensitive information.
Jenkins before versions 2.44, 2.32.2 is vulnerable to an information exposure in the internal API that allows access to item names that should not be visible (SECURITY-380). This only affects anonymous users (other users legitimately have access) that were able to get a list of items via an UnprotectedRootAction.
How to mitigate CVE-2017-2606
Install update from vendor's website.