What is the severity of CVE-2017-1000091?

CVE-2017-1000091 has a medium severity level due to improper permission checks in Jenkins.

How do I fix CVE-2017-1000091?

To fix CVE-2017-1000091, update the GitHub Branch Source plugin to the latest version that contains the necessary security patches.

Who is affected by CVE-2017-1000091?

Any user with Overall/Read access to Jenkins can potentially exploit the vulnerability in CVE-2017-1000091.

What versions of Jenkins are impacted by CVE-2017-1000091?

CVE-2017-1000091 affects multiple versions of the GitHub Branch Source plugin, specifically those before the fixed versions.

What is the nature of the vulnerability in CVE-2017-1000091?

CVE-2017-1000091 involves improper permission checks allowing unauthorized access to the GitHub API for users with minimal privileges.

Vulnerability/
CVE-2017-1000091

medium

6.8

CWE

352

4/10/2017

5/8/2024

CVE-2017-1000091: CSRF

First published: Wed Oct 04 2017(Updated: 8 months ago)

GitHub Branch Source Plugin connects to a user-specified GitHub API URL (e.g. GitHub Enterprise) as part of form validation and completion (e.g. to verify Scan Credentials are correct). This functionality improperly checked permissions, allowing any user with Overall/Read access to Jenkins to connect to any web server and send credentials with a known ID, thereby possibly capturing them. Additionally, this functionality did not require POST requests be used, thereby allowing the above to be performed without direct access to Jenkins via Cross-Site Request Forgery.

Credit: cve@mitre.org

Affected Software	Affected Version	How to fix
Jenkins GitHub Branch Source	=0.1-beta-1
Jenkins GitHub Branch Source	=0.1-beta-2
Jenkins GitHub Branch Source	=0.1-beta-3
Jenkins GitHub Branch Source	=0.1-beta-4
Jenkins GitHub Branch Source	=1.0
Jenkins GitHub Branch Source	=1.1
Jenkins GitHub Branch Source	=1.2
Jenkins GitHub Branch Source	=1.3
Jenkins GitHub Branch Source	=1.4
Jenkins GitHub Branch Source	=1.4-beta-1
Jenkins GitHub Branch Source	=1.5
Jenkins GitHub Branch Source	=1.6
Jenkins GitHub Branch Source	=1.7
Jenkins GitHub Branch Source	=1.8
Jenkins GitHub Branch Source	=1.8.1
Jenkins GitHub Branch Source	=1.9
Jenkins GitHub Branch Source	=1.10
Jenkins GitHub Branch Source	=2.0.0
Jenkins GitHub Branch Source	=2.0.0-beta-1
Jenkins GitHub Branch Source	=2.0.0-beta-2
Jenkins GitHub Branch Source	=2.0.1
Jenkins GitHub Branch Source	=2.0.1-beta-1
Jenkins GitHub Branch Source	=2.0.1-beta-2
Jenkins GitHub Branch Source	=2.0.1-beta-3
Jenkins GitHub Branch Source	=2.0.1-beta-4
Jenkins GitHub Branch Source	=2.0.1-beta-5
Jenkins GitHub Branch Source	=2.0.1-beta-6
Jenkins GitHub Branch Source	=2.0.2
Jenkins GitHub Branch Source	=2.0.3
Jenkins GitHub Branch Source	=2.0.4
Jenkins GitHub Branch Source	=2.0.4-beta-1
Jenkins GitHub Branch Source	=2.0.5
Jenkins GitHub Branch Source	=2.0.6
Jenkins GitHub Branch Source	=2.0.7
Jenkins GitHub Branch Source	=2.2.0-alpha-1
Jenkins GitHub Branch Source	=2.2.0-alpha-2
Jenkins GitHub Branch Source	=2.2.0-alpha-3
Jenkins GitHub Branch Source	=2.2.0-alpha-4
Jenkins GitHub Branch Source	=2.2.0-beta-1

Never miss a vulnerability like this again

Reference Links

https://jenkins.io/security/advisory/2017-07-10/

Frequently Asked Questions

What is the severity of CVE-2017-1000091?
CVE-2017-1000091 has a medium severity level due to improper permission checks in Jenkins.
How do I fix CVE-2017-1000091?
To fix CVE-2017-1000091, update the GitHub Branch Source plugin to the latest version that contains the necessary security patches.
Who is affected by CVE-2017-1000091?
Any user with Overall/Read access to Jenkins can potentially exploit the vulnerability in CVE-2017-1000091.
What versions of Jenkins are impacted by CVE-2017-1000091?
CVE-2017-1000091 affects multiple versions of the GitHub Branch Source plugin, specifically those before the fixed versions.
What is the nature of the vulnerability in CVE-2017-1000091?
CVE-2017-1000091 involves improper permission checks allowing unauthorized access to the GitHub API for users with minimal privileges.

agent/type
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/references
agent/weakness
agent/severity
agent/author
agent/last-modified-date
agent/description
agent/first-publish-date
agent/event
agent/source
agent/tags
collector/nvd-index
agent/software-canonical-lookup-request
vendor/jenkins
canonical/jenkins github branch source
version/jenkins github branch source/0.1-beta-1
version/jenkins github branch source/0.1-beta-2
version/jenkins github branch source/0.1-beta-3
version/jenkins github branch source/0.1-beta-4
version/jenkins github branch source/1.0
version/jenkins github branch source/1.1
version/jenkins github branch source/1.2
version/jenkins github branch source/1.3
version/jenkins github branch source/1.4
version/jenkins github branch source/1.4-beta-1
version/jenkins github branch source/1.5
version/jenkins github branch source/1.6
version/jenkins github branch source/1.7
version/jenkins github branch source/1.8
version/jenkins github branch source/1.8.1
version/jenkins github branch source/1.9
version/jenkins github branch source/1.10
version/jenkins github branch source/2.0.0
version/jenkins github branch source/2.0.0-beta-1
version/jenkins github branch source/2.0.0-beta-2
version/jenkins github branch source/2.0.1
version/jenkins github branch source/2.0.1-beta-1
version/jenkins github branch source/2.0.1-beta-2
version/jenkins github branch source/2.0.1-beta-3
version/jenkins github branch source/2.0.1-beta-4
version/jenkins github branch source/2.0.1-beta-5
version/jenkins github branch source/2.0.1-beta-6
version/jenkins github branch source/2.0.2
version/jenkins github branch source/2.0.3
version/jenkins github branch source/2.0.4
version/jenkins github branch source/2.0.4-beta-1
version/jenkins github branch source/2.0.5
version/jenkins github branch source/2.0.6
version/jenkins github branch source/2.0.7
version/jenkins github branch source/2.2.0-alpha-1
version/jenkins github branch source/2.2.0-alpha-2
version/jenkins github branch source/2.2.0-alpha-3
version/jenkins github branch source/2.2.0-alpha-4
version/jenkins github branch source/2.2.0-beta-1