CVE-2017-1000354
First published: Mon Jan 29 2018(Updated: )
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to a login command which allowed impersonating any Jenkins user. The `login` command available in the remoting-based CLI stored the encrypted user name of the successfully authenticated user in a cache file used to authenticate further commands. Users with sufficient permission to create secrets in Jenkins, and download their encrypted values (e.g. with Job/Configure permission), were able to impersonate any other Jenkins user on the same instance.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.jenkins-ci.main:jenkins-core | <=2.46.1 | 2.46.2 |
| maven/org.jenkins-ci.main:jenkins-core | >=2.50<=2.56 | 2.57 |
| Jenkins LTS | <=2.56 | |
| Jenkins LTS | <=2.46.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.securityfocus.com/bid/98065
- https://jenkins.io/security/advisory/2017-04-26/
- https://nvd.nist.gov/vuln/detail/CVE-2017-1000354
- https://github.com/jenkinsci/jenkins/commit/02d24053bdfeb219d2387a19885a60bdab510479
- https://jenkins.io/security/advisory/2017-04-26
- https://web.archive.org/web/20200227174424/http://www.securityfocus.com/bid/98065
- https://github.com/advisories/GHSA-r57f-7xw3-q2r9 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2017-1000354?
CVE-2017-1000354 is classified as a medium severity vulnerability that allows impersonation of any Jenkins user.
How do I fix CVE-2017-1000354?
To fix CVE-2017-1000354, upgrade to Jenkins version 2.46.2 or later, or to version 2.57 or later for non-LTS versions.
Which versions of Jenkins are affected by CVE-2017-1000354?
Jenkins versions 2.56 and earlier, as well as 2.46.1 LTS and earlier, are affected by CVE-2017-1000354.
What is the impact of CVE-2017-1000354?
The impact of CVE-2017-1000354 allows an attacker to impersonate any authenticated Jenkins user, potentially compromising sensitive information.
Is my Jenkins installation vulnerable if it is below version 2.56?
Yes, any Jenkins installation using version 2.56 or earlier, including 2.46.1 LTS and earlier, is vulnerable to CVE-2017-1000354.
- agent/type
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-r57f-7xw3-q2r9
- alias/CVE-2017-1000354
- agent/software-canonical-lookup
- agent/references
- agent/weakness
- agent/severity
- agent/description
- agent/author
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/trending
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/maven
- vendor/jenkins
- canonical/jenkins lts
- version/jenkins lts/2.56
- version/jenkins lts/2.46.1