1. Home
  2. Security Advisories
  3. Maven
  4. MAVEN:GHSA-WQV4-9GR3-3QGH

[MAVEN:GHSA-WQV4-9GR3-3QGH] Exposure of Sensitive Information to an Unauthorized Actor in Jenkins

Severity Moderate
Affected Packages 2
Fixed Packages 2
CVEs 1
Info Packages References Vulnerabilities

Jenkins 2.73.1 and earlier, 2.83 and earlier provides information about Jenkins user accounts which is generally available to anyone with Overall/Read permissions via the /user/(username)/api remote API. This included e.g. Jenkins users' email addresses if the Mailer Plugin is installed. The remote API now no longer includes information beyond the most basic (user ID and name) unless the user requesting it is a Jenkins administrator.

Package Affected Version
pkg:maven/org.jenkins-ci.main/jenkins-core >= 2.74, <= 2.83
pkg:maven/org.jenkins-ci.main/jenkins-core <= 2.73.1
Package Fixed Version
pkg:maven/org.jenkins-ci.main/jenkins-core = 2.84
pkg:maven/org.jenkins-ci.main/jenkins-core = 2.73.2
ID
MAVEN:GHSA-WQV4-9GR3-3QGH
Severity
moderate
URL
https://github.com/advisories/GHSA-wqv4-9gr3-3qgh
Published
2022-05-14T01:04:35
(2 years ago)
Modified
2023-01-27T05:02:22
(20 months ago)
Rights
Maven Security Team
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:maven/org.jenkins-ci.main/jenkins-core org.jenkins-ci.main jenkins-core >= 2.74 <= 2.83
Fixed pkg:maven/org.jenkins-ci.main/jenkins-core org.jenkins-ci.main jenkins-core = 2.84
Affected pkg:maven/org.jenkins-ci.main/jenkins-core org.jenkins-ci.main jenkins-core <= 2.73.1
Fixed pkg:maven/org.jenkins-ci.main/jenkins-core org.jenkins-ci.main jenkins-core = 2.73.2
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date