CVE-2017-1000086 — HIGH (8.0)

Vulnerability Description

The Periodic Backup Plugin did not perform any permission checks, allowing any user with Overall/Read access to change its settings, trigger backups, restore backups, download backups, and also delete all previous backups via log rotation. Additionally, the plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks.

CVSS Score

8.0

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Jenkins	Periodic Backup	1.0

Related Weaknesses (CWE)

CWE-862

References

http://www.securityfocus.com/bid/100437Third Party AdvisoryVDB Entry
https://jenkins.io/security/advisory/2017-07-10/Vendor Advisory
http://www.securityfocus.com/bid/100437Third Party AdvisoryVDB Entry
https://jenkins.io/security/advisory/2017-07-10/Vendor Advisory

FAQ

What is CVE-2017-1000086?

CVE-2017-1000086 is a vulnerability with a CVSS score of 8.0 (HIGH). The Periodic Backup Plugin did not perform any permission checks, allowing any user with Overall/Read access to change its settings, trigger backups, restore backups, download backups, and also delete...

How severe is CVE-2017-1000086?

CVE-2017-1000086 has been rated HIGH with a CVSS base score of 8.0/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2017-1000086?

Check the references section above for vendor advisories and patch information. Affected products include: Jenkins Periodic Backup.