CVE-2017-2600

Description

In jenkins before versions 2.44, 2.32.2 node monitor data could be viewed by low privilege users via the remote API. These included system configuration and runtime information of these nodes (SECURITY-343).

CVSS breakdown

CVSS 3.0

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Affected products

Unknown / jenkinsjenkins 2.44 – jenkins 2.44
Unknown / jenkinsjenkins 2.32.2 – jenkins 2.32.2

References

MISChttps://jenkins.io/security/advisory/2017-02-01/
MISChttp://www.securityfocus.com/bid/95954
MISChttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2600
PATCHhttps://github.com/jenkinsci/jenkins/commit/0f92cd08a19207de2cceb6a2f4e3e9f92fdc0899