Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS13ZmozLTUzNW0tcDZmeM4AATfc
Improper Input Validation in Jenkins
Jenkins versions 2.88 and earlier and 2.73.2 and earlier stores metadata related to 'people', which encompasses actual user accounts, as well as users appearing in SCM, in directories corresponding to the user ID on disk. These directories used the user ID for their name without additional escaping, potentially resulting in problems like overwriting of unrelated configuration files.
Permalink: https://github.com/advisories/GHSA-wfj3-535m-p6fxJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13ZmozLTUzNW0tcDZmeM4AATfc
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: about 1 year ago
CVSS Score: 7.3
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H
Identifiers: GHSA-wfj3-535m-p6fx, CVE-2017-1000391
References:
- https://nvd.nist.gov/vuln/detail/CVE-2017-1000391
- https://jenkins.io/security/advisory/2017-11-08/
- http://www.securityfocus.com/bid/101773
- https://github.com/jenkinsci/jenkins/commit/566a8ddb885f0bef9bc848e60455c0aabbf0c1d3
- https://github.com/advisories/GHSA-wfj3-535m-p6fx
Affected Packages
maven:org.jenkins-ci.main:jenkins-core
Affected Version Ranges: >= 2.74, <= 2.88, <= 2.73.2Fixed in: 2.89, 2.73.3