Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES SCA (Software Composition Analysis)

CVE-2017-1000401 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

Description

The Jenkins 2.73.1 and earlier, 2.83 and earlier default form control for passwords and other secrets, , supports form validation (e.g. for API keys). The form validation AJAX requests were sent via GET, which could result in secrets being logged to a HTTP access log in non-default configurations of Jenkins, and made available to users with access to these log files. Form validation for is now always sent via POST, which is typically not logged.

Remediation

References

https://jenkins.io/security/advisory/2017-10-11/

Related Vulnerabilities

CVE-2020-2239 Vulnerability in maven package org.jenkins-ci.plugins:parameterized-remote-trigger

CVE-2018-1307 Vulnerability in maven package org.apache.juddi:juddi-client

CVE-2014-7816 Vulnerability in maven package io.undertow:undertow-core

CVE-2023-49620 Vulnerability in maven package org.apache.dolphinscheduler:dolphinscheduler-api

CVE-2021-21690 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

Severity

Low

Classification

CWE-20 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

Tags

Vendor Advisory