Vulnerability Description
Jenkins before versions 2.44, 2.32.2 is vulnerable to an information exposure in the internal API that allows access to item names that should not be visible (SECURITY-380). This only affects anonymous users (other users legitimately have access) that were able to get a list of items via an UnprotectedRootAction.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Jenkins | Jenkins | < 2.32.2 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/95962Third Party AdvisoryVDB Entry
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2606Issue Tracking
- https://github.com/jenkinsci/jenkins/commit/09cfbc9cd5c9df7c763bc976b7f5c51266b6Third Party Advisory
- https://jenkins.io/security/advisory/2017-02-01/Vendor Advisory
- http://www.securityfocus.com/bid/95962Third Party AdvisoryVDB Entry
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2606Issue Tracking
- https://github.com/jenkinsci/jenkins/commit/09cfbc9cd5c9df7c763bc976b7f5c51266b6Third Party Advisory
- https://jenkins.io/security/advisory/2017-02-01/Vendor Advisory
FAQ
What is CVE-2017-2606?
CVE-2017-2606 is a vulnerability with a CVSS score of 4.3 (MEDIUM). Jenkins before versions 2.44, 2.32.2 is vulnerable to an information exposure in the internal API that allows access to item names that should not be visible (SECURITY-380). This only affects anonymou...
How severe is CVE-2017-2606?
CVE-2017-2606 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-2606?
Check the references section above for vendor advisories and patch information. Affected products include: Jenkins Jenkins.