Information Disclosure in Jenkins Mailer Plugin by CloudBees
CVE-2017-2651

3.7LOW

Key Information:

Vendor
Jenkins
Status
Jenkins-mailer-plugin
Vendor
CVE Published:
27 July 2018

Summary

The Jenkins Mailer Plugin prior to version 1.20 is susceptible to an information disclosure vulnerability that can arise when sending emails to a dynamically generated list of users based on changelogs. This flaw can unintentionally expose email communications to individuals who do not possess a user account in Jenkins, and in rare scenarios, it may even involve recipients not associated with the relevant project being built, due to linkage based on the local part of email addresses.

Affected Version(s)

jenkins-mailer-plugin 1.20

References

http://www.securityfocus.com/bid/96984
vdb-entryx_refsource_BID
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2651
x_refsource_CONFIRM
https://jenkins.io/security/advisory/2017-03-20/
x_refsource_CONFIRM

CVSS V3.1

Score:
3.7
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.