Information Disclosure Vulnerability in Jenkins by CloudBees
CVE-2017-2609

4.3MEDIUM

Key Information:

Vendor

[unknown]

Status
Jenkins
Vendor
CVE Published:
22 May 2018

What is CVE-2017-2609?

The Jenkins application prior to versions 2.44 and 2.32.2 has a vulnerability that allows unauthorized information exposure through its search autocomplete feature. When users engage with the search box, the system inadvertently presents suggestions that include the titles of views, some of which may be restricted based on the user's permissions. This flaw could potentially lead to sensitive information being disclosed to users who should not have access to certain functionalities.

Affected Version(s)

jenkins jenkins 2.44

jenkins jenkins 2.32.2

References

http://www.securityfocus.com/bid/95964
vdb-entryx_refsource_BID
https://github.com/jenkinsci/jenkins/commit/13905d8224899...
x_refsource_CONFIRM
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2609
x_refsource_CONFIRM

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.