WEB APPLICATION VULNERABILITIES SCA (Software Composition Analysis)

CVE-2017-1000401 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

Description

The Jenkins 2.73.1 and earlier, 2.83 and earlier default form control for passwords and other secrets, , supports form validation (e.g. for API keys). The form validation AJAX requests were sent via GET, which could result in secrets being logged to a HTTP access log in non-default configurations of Jenkins, and made available to users with access to these log files. Form validation for is now always sent via POST, which is typically not logged.

Remediation

References

https://jenkins.io/security/advisory/2017-10-11/

Related Vulnerabilities

CVE-2021-38555 Vulnerability in maven package org.apache.any23:apache-any23-core

CVE-2020-10687 Vulnerability in maven package io.undertow:undertow-core

CVE-2021-21295 Vulnerability in maven package io.netty:netty-codec-http2

CVE-2023-46659 Vulnerability in maven package org.jenkins-ci.plugins:trac

CVE-2021-21351 Vulnerability in maven package com.thoughtworks.xstream:xstream

Severity

Low

Classification

CWE-20 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

Tags

Vendor Advisory