CVE-2014-3667 — Sensitive Information Exposure in Jenkins

CWE-200 — Sensitive Information Exposure CWE-285 — Improper Authorization7 documents7 sources

Severity

4.0MEDIUMNVD

EPSS

0.1%

top 82.64%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Redhat Openshift

Timeline

PublishedOct 16

Latest updateMay 17

Description

Jenkins before 1.583 and LTS before 1.565.3 does not properly prevent downloading of plugins, which allows remote authenticated users with the Overall/READ permission to obtain sensitive information by reading the plugin code.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 8.0 | Impact: 2.9

Affected Packages2 packages

▶NVDjenkins/jenkins1.582+1

▶NVDredhat/openshift3.1

🔴Vulnerability Details

GHSA

Jenkins allows Remote Users to Obtain Sensitive Information from a Plugin Code↗2022-05-17

▶

OSV

Jenkins allows Remote Users to Obtain Sensitive Information from a Plugin Code↗2022-05-17

▶

CVEList

CVE-2014-3667: Jenkins before 1↗2014-10-16

▶

📋Vendor Advisories

Red Hat

jenkins: plug-in code can be downloaded by anyone with read access (SECURITY-155)↗2014-10-02

▶

Jenkins

Jenkins Security Advisory 2014-10-01↗2014-10-01

▶

💬Community

Bugzilla

CVE-2014-3667 jenkins: plug-in code can be downloaded by anyone with read access (SECURITY-155)↗2014-09-30

▶