Jenkins Config File Provider Plugin Vulnerability Exposes Sensitive Data
CVE-2017-1000104

6.5MEDIUM

Key Information:

Vendor: Jenkins
Status: Config File Provider
Vendor: CVE Published:; 5 October 2017

Summary

The Config File Provider Plugin in Jenkins is designed to manage configuration files containing sensitive information, including credentials. A vulnerability allowed users with limited permissions (Overall/Read) to access specific URLs, enabling them to view these sensitive files. To mitigate this issue, access restrictions have been implemented. Now, users must possess appropriate permissions to either configure the provided files, view the configuration folder, or have Job/Configure permissions tied to jobs that utilize these files. This enhancement significantly increases the security surrounding sensitive data management within Jenkins.

References

https://jenkins.io/security/advisory/2017-08-07/

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability Reserved
Oct 3, 2022
Vulnerability published
Oct 5, 2017