Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nvd[email protected]NVD:CVE-2017-1000354
HistoryJan 29, 2018 - 5:29 p.m.

CVE-2017-1000354

2018-01-2917:29:00
CWE-287
[email protected]
web.nvd.nist.gov
8

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.6

Confidence

High

EPSS

0.001

Percentile

43.6%

JSON

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to a login command which allowed impersonating any Jenkins user. The login command available in the remoting-based CLI stored the encrypted user name of the successfully authenticated user in a cache file used to authenticate further commands. Users with sufficient permission to create secrets in Jenkins, and download their encrypted values (e.g. with Job/Configure permission), were able to impersonate any other Jenkins user on the same instance.

Affected configurations

Nvd
Node
jenkinsjenkinsRange2.56
Node
jenkinsjenkinsRange2.46.1lts
VendorProductVersionCPE
jenkinsjenkins*cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:*:*:*
jenkinsjenkins*cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*

Related

prion 1
cve 1
osv 2
seebug 1
cvelist 1
github 1
ubuntucve 1
redhatcve 1
veracode 1
archlinux 1
openvas 2
freebsd 1
nessus 2
prion
prion
Design/Logic Flaw
2018-01-29 17:29:00
cve
cve
CVE-2017-1000354
2018-01-29 17:29:00
osv
osv
Improper Authentication in Jenkins
2022-05-14 03:44:30
CVE-2017-1000354
2018-01-29 17:29:00
seebug
seebug
Jenkins CLI: Login command allowed impersonating any Jenkins user (CVE-2017-1000354)
2017-04-28 00:00:00
cvelist
cvelist
CVE-2017-1000354
2018-01-29 17:00:00
github
github
Improper Authentication in Jenkins
2022-05-14 03:44:30
ubuntucve
ubuntucve
CVE-2017-1000354
2018-01-29 00:00:00
redhatcve
redhatcve
CVE-2017-1000354
2017-05-03 08:54:02
veracode
veracode
Improper Authentication
2024-04-22 06:12:42
archlinux
archlinux
[ASA-201704-8] jenkins: multiple issues
2017-04-27 00:00:00
openvas
openvas
Jenkins Multiple Vulnerabilities (Apr 2017) - Linux
2017-04-28 00:00:00
Jenkins Multiple Vulnerabilities (Apr 2017) - Windows
2017-04-28 00:00:00
freebsd
freebsd
jenkins -- multiple vulnerabilities
2017-04-26 00:00:00
nessus
nessus
Jenkins < 2.46.2 / 2.57 and Jenkins Enterprise < 1.625.24.1 / 1.651.24.1 / 2.7.24.0.1 / 2.46.2.1 Multiple Vulnerabilities
2017-05-04 00:00:00
FreeBSD : jenkins -- multiple vulnerabilities (631c4710-9be5-4a80-9310-eb2847fe24dd)
2017-04-27 00:00:00

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.6

Confidence

High

EPSS

0.001

Percentile

43.6%

JSON
Related for NVD:CVE-2017-1000354
prion1cve1osv2seebug1cvelist1github1ubuntucve1redhatcve1veracode1archlinux1openvas2freebsd1nessus2