CVE-2017-1000399: Infoleak
First published: Fri Jan 26 2018(Updated: )
The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /queue/item/(ID)/api showed information about tasks in the queue (typically builds waiting to start). This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API endpoint is now only available for tasks that the current user has access to.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Jenkins LTS | <=2.73.1 | |
| Jenkins LTS | <=2.83 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2017-1000399?
CVE-2017-1000399 has been rated as a medium severity vulnerability.
How do I fix CVE-2017-1000399?
To fix CVE-2017-1000399, upgrade Jenkins to version 2.73.2 or higher if you are using LTS, or 2.83.1 or higher for other versions.
What versions of Jenkins are affected by CVE-2017-1000399?
CVE-2017-1000399 affects Jenkins versions 2.73.1 and earlier, and 2.83 and earlier.
What information is exposed by CVE-2017-1000399?
CVE-2017-1000399 exposes information about tasks in the Jenkins queue that the user does not have permission to access.
Is user authentication sufficient to protect against CVE-2017-1000399?
User authentication alone is not sufficient to protect against CVE-2017-1000399, as it can reveal queue information regardless of permissions.
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/references
- agent/weakness
- agent/last-modified-date
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/jenkins
- canonical/jenkins lts
- version/jenkins lts/2.73.1
- version/jenkins lts/2.83