CVE-2017-1000391: Input Validation
First published: Fri Jan 26 2018(Updated: )
Jenkins versions 2.88 and earlier and 2.73.2 and earlier stores metadata related to 'people', which encompasses actual user accounts, as well as users appearing in SCM, in directories corresponding to the user ID on disk. These directories used the user ID for their name without additional escaping, potentially resulting in problems like overwriting of unrelated configuration files.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Jenkins LTS | <=2.73.2 | |
| Jenkins LTS | <=2.88 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2017-1000391?
CVE-2017-1000391 is classified as a medium severity vulnerability.
How do I fix CVE-2017-1000391?
To fix CVE-2017-1000391, upgrade Jenkins to version 2.73.3 or later.
What versions of Jenkins are affected by CVE-2017-1000391?
Jenkins versions 2.88 and earlier, as well as 2.73.2 and earlier, are affected by CVE-2017-1000391.
What type of information is vulnerable in CVE-2017-1000391?
CVE-2017-1000391 exposes metadata related to user accounts and SCM users stored on disk.
What is the impact of not addressing CVE-2017-1000391?
Failing to address CVE-2017-1000391 may lead to unauthorized access or disclosure of user-related metadata.
- agent/references
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/weakness
- agent/last-modified-date
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/jenkins
- canonical/jenkins lts
- version/jenkins lts/2.73.2
- version/jenkins lts/2.88