CVE-2017-2598 – org.jenkins-ci.main:jenkins-core

Package

Manager: maven
Name: org.jenkins-ci.main:jenkins-core
Vulnerable Version: >=0 <2.32.2 || >=2.34 <2.44

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00026 pctl0.05565

Details

Inadequate Encryption Strength in Jenkins Jenkins before versions 2.44 and 2.32.2 uses AES ECB block cipher mode without IV for encrypting secrets which makes Jenkins and the stored secrets vulnerable to unnecessary risks (SECURITY-304).

Metadata

Created: 2022-05-13T01:36:56Z
Modified: 2022-07-01T18:29:06Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-r9q2-3r6x-qmgp/GHSA-r9q2-3r6x-qmgp.json
CWE IDs: ["CWE-326"]
Alternative ID: GHSA-r9q2-3r6x-qmgp
Finding: F052
Auto approve: 1