Vulnerability Description
jenkins-mailer-plugin before version 1.20 is vulnerable to an information disclosure while using the feature to send emails to a dynamically created list of users based on the changelogs. This could in some cases result in emails being sent to people who have no user account in Jenkins, and in rare cases even people who were not involved in whatever project was being built, due to some mapping based on the local-part of email addresses.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Jenkins | Mailer | < 1.20 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/96984Third Party AdvisoryVDB Entry
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2651Issue TrackingThird Party Advisory
- https://jenkins.io/security/advisory/2017-03-20/Vendor Advisory
- http://www.securityfocus.com/bid/96984Third Party AdvisoryVDB Entry
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2651Issue TrackingThird Party Advisory
- https://jenkins.io/security/advisory/2017-03-20/Vendor Advisory
FAQ
What is CVE-2017-2651?
CVE-2017-2651 is a vulnerability with a CVSS score of 3.7 (LOW). jenkins-mailer-plugin before version 1.20 is vulnerable to an information disclosure while using the feature to send emails to a dynamically created list of users based on the changelogs. This could i...
How severe is CVE-2017-2651?
CVE-2017-2651 has been rated LOW with a CVSS base score of 3.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-2651?
Check the references section above for vendor advisories and patch information. Affected products include: Jenkins Mailer.