Description

The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /job/(job-name)/api contained information about upstream and downstream projects. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API now only lists upstream and downstream projects that the current user has access to.

Remediation

References

CVE-2017-1000400

Related Vulnerabilities

Joomla! Core 2.5.x Remote File Inclusion (2.5.4 - 2.5.25)

PHP Other Vulnerability (CVE-2006-4485)

PHP Other Vulnerability (CVE-2005-3319)

WordPress Plugin YITH WooCommerce Badge Management Security Bypass (1.3.19)

MySQL CVE-2023-22038 Vulnerability (CVE-2023-22038)

Severity

Medium

Classification

CVE-2017-1000400 CWE-862 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update Known Vulnerabilities