CVE-2017-1000395
Last modified
CVE-2017-1000395 is a vulnerability of currently unknown severity. Jenkins 2.73.1 and earlier, 2.83 and earlier provides information about Jenkins user accounts which is generally available to anyone with Overall/Read permissions via the /user/(username)/api remote API. This included e.g. EPSS estimates a 1.33% chance of exploitation in the next 30 days.
Description
Jenkins 2.73.1 and earlier, 2.83 and earlier provides information about Jenkins user accounts which is generally available to anyone with Overall/Read permissions via the /user/(username)/api remote API. This included e.g. Jenkins users' email addresses if the Mailer Plugin is installed. The remote API now no longer includes information beyond the most basic (user ID and name) unless the user requesting it is a Jenkins administrator.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Jenkins | Jenkins | <= 2.73.1 |
| Jenkins | Jenkins | <= 2.83 |
References
- https://jenkins.io/security/advisory/2017-10-11/Vendor Advisory
- https://jenkins.io/security/advisory/2017-10-11/Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2017-1000395?
How severe is CVE-2017-1000395?
How do I fix CVE-2017-1000395?
Are you affected by CVE-2017-1000395?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST