CVE-2017-2651

3.7LOW

Key Information:

Vendor
Jenkins
Status
Jenkins-mailer-plugin
Vendor
CVE Published:
27 July 2018

Summary

jenkins-mailer-plugin before version 1.20 is vulnerable to an information disclosure while using the feature to send emails to a dynamically created list of users based on the changelogs. This could in some cases result in emails being sent to people who have no user account in Jenkins, and in rare cases even people who were not involved in whatever project was being built, due to some mapping based on the local-part of email addresses.

Affected Version(s)

jenkins-mailer-plugin 1.20

References

http://www.securityfocus.com/bid/96984
vdb-entryx_refsource_BID
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2651
x_refsource_CONFIRM
https://jenkins.io/security/advisory/2017-03-20/
x_refsource_CONFIRM

CVSS V3.1

Score:
3.7
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.