Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS13ZmozLTUzNW0tcDZmeM4AATfc

Improper Input Validation in Jenkins

Jenkins versions 2.88 and earlier and 2.73.2 and earlier stores metadata related to 'people', which encompasses actual user accounts, as well as users appearing in SCM, in directories corresponding to the user ID on disk. These directories used the user ID for their name without additional escaping, potentially resulting in problems like overwriting of unrelated configuration files.

Permalink: https://github.com/advisories/GHSA-wfj3-535m-p6fx
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13ZmozLTUzNW0tcDZmeM4AATfc
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: about 1 year ago


CVSS Score: 7.3
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H

Identifiers: GHSA-wfj3-535m-p6fx, CVE-2017-1000391
References: Repository: https://github.com/jenkinsci/jenkins

Affected Packages

maven:org.jenkins-ci.main:jenkins-core
Affected Version Ranges: >= 2.74, <= 2.88, <= 2.73.2
Fixed in: 2.89, 2.73.3