User Data Leak in Jenkins Configuration via Disconnected Agents
CVE-2017-2603

2.6LOW

Key Information:

Vendor

[unknown]

Status
Jenkins
Vendor
CVE Published:
15 May 2018

What is CVE-2017-2603?

Jenkins prior to version 2.44 and 2.32.2 is susceptible to a security issue that allows unauthorized access to sensitive information stored in the config.xml API of disconnected agents. This can result in the exposure of crucial data, including API tokens, potentially allowing adversaries to exploit the system further. Users are advised to upgrade to the latest versions to mitigate this risk.

Affected Version(s)

jenkins jenkins 2.44

jenkins jenkins 2.32.2

References

https://jenkins.io/security/advisory/2017-02-01/
x_refsource_CONFIRM
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2603
x_refsource_CONFIRM
https://github.com/jenkinsci/jenkins/commit/3cd946cbef82c...
x_refsource_CONFIRM

CVSS V3.1

Score:
2.6
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.