CVE-2017-2606 – org.jenkins-ci.main:jenkins-core

Package

Manager: maven
Name: org.jenkins-ci.main:jenkins-core
Vulnerable Version: >=0 <2.32.2 || >=2.34 <2.44

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00044 pctl0.12675

Details

Exposure of Sensitive Information to an Unauthorized Actor in Jenkins Jenkins before versions 2.44 and 2.32.2 is vulnerable to an information exposure in the internal API that allows access to item names that should not be visible (SECURITY-380). This only affects anonymous users (other users legitimately have access) that were able to get a list of items via an UnprotectedRootAction.

Metadata

Created: 2022-05-13T01:36:54Z
Modified: 2022-07-01T17:47:58Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-6967-9vvv-4cmm/GHSA-6967-9vvv-4cmm.json
CWE IDs: ["CWE-200"]
Alternative ID: GHSA-6967-9vvv-4cmm
Finding: F038
Auto approve: 1