Multiple vulnerabilities in Jenkins Jenkins
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2017-2598 CVE-2017-2607 CVE-2017-2600 |
| CWE-ID | CWE-326 CWE-79 CWE-200 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Jenkins Server applications / Application servers |
| Vendor | Jenkins |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Inadequate Encryption Strength
EUVDB-ID: #VU31294
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-2598
CWE-ID:
CWE-326 - Inadequate Encryption Strength
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to gain access to sensitive information.
Jenkins before versions 2.44, 2.32.2 uses AES ECB block cipher mode without IV for encrypting secrets which makes Jenkins and the stored secrets vulnerable to unnecessary risks (SECURITY-304).
MitigationInstall update from vendor's website.
Vulnerable software versionsJenkins: 2.0 - 2.43
CPE2.3- cpe:2.3:a:jenkins:jenkins:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins:jenkins:2.1:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins:jenkins:2.2:*:*:*:*:*:*:*
http://www.securityfocus.com/bid/95948
http://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2598
http://github.com/jenkinsci/jenkins/commit/e6aa166246d1734f4798a9e31f78842f4c85c28b
http://jenkins.io/security/advisory/2017-02-01/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Cross-site scripting
EUVDB-ID: #VU31300
Risk: Low
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-2607
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. The vulnerability allows plugins to annotate build logs, adding new content or changing the presentation of existing content while the build is running.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationUpdate to version 2.44.
Vulnerable software versionsJenkins: 2.0 - 2.43
CPE2.3- cpe:2.3:a:jenkins:jenkins:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins:jenkins:2.1:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins:jenkins:2.2:*:*:*:*:*:*:*
http://www.securityfocus.com/bid/95963
http://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2607
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Information disclosure
EUVDB-ID: #VU31307
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-2600
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to gain access to sensitive information.
In jenkins before versions 2.44, 2.32.2 node monitor data could be viewed by low privilege users via the remote API. These included system configuration and runtime information of these nodes (SECURITY-343).
MitigationInstall update from vendor's website.
Vulnerable software versionsJenkins: 2.0 - 2.43
CPE2.3- cpe:2.3:a:jenkins:jenkins:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins:jenkins:2.1:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins:jenkins:2.2:*:*:*:*:*:*:*
http://www.securityfocus.com/bid/95954
http://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2600
http://github.com/jenkinsci/jenkins/commit/0f92cd08a19207de2cceb6a2f4e3e9f92fdc0899
http://jenkins.io/security/advisory/2017-02-01/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
