CVE-2017-1000395: Infoleak
First published: Fri Jan 26 2018(Updated: )
Jenkins 2.73.1 and earlier, 2.83 and earlier provides information about Jenkins user accounts which is generally available to anyone with Overall/Read permissions via the /user/(username)/api remote API. This included e.g. Jenkins users' email addresses if the Mailer Plugin is installed. The remote API now no longer includes information beyond the most basic (user ID and name) unless the user requesting it is a Jenkins administrator.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Jenkins LTS | <=2.73.1 | |
| Jenkins LTS | <=2.83 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2017-1000395?
CVE-2017-1000395 has a medium severity rating due to its potential exposure of sensitive user information.
How do I fix CVE-2017-1000395?
To fix CVE-2017-1000395, upgrade Jenkins to version 2.73.2 or later, or 2.83.1 or later.
What kind of information is exposed by CVE-2017-1000395?
CVE-2017-1000395 exposes information such as Jenkins user email addresses when the Mailer Plugin is installed.
Who is affected by CVE-2017-1000395?
CVE-2017-1000395 affects Jenkins versions 2.73.1 and earlier, and 2.83 and earlier.
What permissions are needed to exploit CVE-2017-1000395?
Exploitation of CVE-2017-1000395 requires Overall/Read permissions on Jenkins.
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/references
- agent/weakness
- agent/last-modified-date
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/jenkins
- canonical/jenkins lts
- version/jenkins lts/2.73.1
- version/jenkins lts/2.83