Encryption Flaw in Jenkins by CloudBees Non-ideal AES ECB Mode
CVE-2017-2598

4.3MEDIUM

Key Information:

Vendor

[unknown]

Status
Jenkins
Vendor
CVE Published:
23 May 2018

What is CVE-2017-2598?

Jenkins prior to versions 2.44 and 2.32.2 uses the AES block cipher in ECB mode without an initialization vector (IV), leading to potential exposure of sensitive encrypted data. This design flaw compromises the confidentiality of stored secrets, which could be at risk of unauthorized access and exploitation. It is crucial for users to promptly update to the latest versions to mitigate these risks and secure their Jenkins environments.

Affected Version(s)

jenkins jenkins 2.44

jenkins jenkins 2.32.2

References

https://jenkins.io/security/advisory/2017-02-01/
x_refsource_CONFIRM
https://github.com/jenkinsci/jenkins/commit/e6aa166246d17...
x_refsource_CONFIRM
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2598
x_refsource_CONFIRM

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.