Main Vulnerability Database Vulnerabilities #VU31329

Improper Privilege Management in Jenkins - CVE-2017-2599

Published: April 11, 2018 / Updated: July 17, 2020

Vulnerability identifier: #VU31329

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2017-2599

CWE-ID: CWE-269

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Jenkins

Affected software:
Jenkins

Detailed vulnerability description

The vulnerability allows a remote authenticated user to read and manipulate data.

Jenkins before versions 2.44 and 2.32.2 is vulnerable to an insufficient permission check. This allows users with permissions to create new items (e.g. jobs) to overwrite existing items they don't have access to (SECURITY-321).

How to mitigate CVE-2017-2599

Install update from vendor's website.

Sources

http://www.securityfocus.com/bid/95949
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2599
https://github.com/jenkinsci/jenkins/commit/4ed5c850b6855ab064a66d02fb338f366853ce89
https://jenkins.io/security/advisory/2017-02-01/

Improper Privilege Management in Jenkins - CVE-2017-2599

Detailed vulnerability description

How to mitigate CVE-2017-2599

Sources

Please verify you're human