CVE-2017-1000354
CVSS v3.0
8.8 (High)
CVSS v2.0
6.5 (Medium)
EPSS
0.11 % (44th)
Affected Products
1
Advisories
3
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to a login command which allowed impersonating any Jenkins user. The login
command available in the remoting-based CLI stored the encrypted user name of the successfully authenticated user in a cache file used to authenticate further commands. Users with sufficient permission to create secrets in Jenkins, and download their encrypted values (e.g. with Job/Configure permission), were able to impersonate any other Jenkins user on the same instance.
Weaknesses
- CWE-287
- Improper Authentication
- CVE Status
- PUBLISHED
- CNA
- MITRE
- Published Date
-
2018-01-29 17:29:00
(6 years ago) - Updated Date
-
2018-02-15 18:25:38
(6 years ago)
Affected Products
Loading...
Loading...
Loading...
Configuration #1
|
Configuration #2
|
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...