Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1yOXEyLTNyNngtcW1ncM4AARcs
Inadequate Encryption Strength in Jenkins
Jenkins before versions 2.44 and 2.32.2 uses AES ECB block cipher mode without IV for encrypting secrets which makes Jenkins and the stored secrets vulnerable to unnecessary risks (SECURITY-304).
Permalink: https://github.com/advisories/GHSA-r9q2-3r6x-qmgpJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yOXEyLTNyNngtcW1ncM4AARcs
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: about 1 year ago
CVSS Score: 4.3
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Identifiers: GHSA-r9q2-3r6x-qmgp, CVE-2017-2598
References:
- https://nvd.nist.gov/vuln/detail/CVE-2017-2598
- https://github.com/jenkinsci/jenkins/commit/e6aa166246d1734f4798a9e31f78842f4c85c28b
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2598
- https://jenkins.io/security/advisory/2017-02-01/
- https://github.com/advisories/GHSA-r9q2-3r6x-qmgp
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.main:jenkins-core
Affected Version Ranges: >= 2.34, <= 2.43, <= 2.32.1Fixed in: 2.44, 2.32.2