#VU10797 Information disclosure - CVE-2018-6356

Cybersecurity Help s.r.o.

Published: 2018-03-01

Vulnerability identifier: #VU10797

Vulnerability risk: Low

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-6356

CWE-ID: CWE-22

Exploitation vector: Network

Exploit availability: No

Vulnerable software:

Vendor:

Description

The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information on the target system.

The vulnerability exists in the Extended Choice Parameter plug-in for Jenkins due to insufficient security restrictions. A remote attacker can use the Extended Choice Parameter plug-in, trigger path traversal and access potentially sensitive information.

Mitigation
Update to version 2.107.

Vulnerable software versions

External links
https://jenkins.io/download/
https://jenkins.io/security/advisory/2018-02-14/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Information disclosure in Jenkins CI