CVE-2017-1000388
published 2018-01-26CVE-2017-1000388: Jenkins Dependency Graph Viewer plugin 0.12 and earlier did not perform permission checks for the API endpoint that modifies the dependency graph, allowing…
PriorityP421medium4.3CVSS 3.0
AVNACLPRLUINSUCNILAN
EPSS
0.64%
46.2th percentile
Jenkins Dependency Graph Viewer plugin 0.12 and earlier did not perform permission checks for the API endpoint that modifies the dependency graph, allowing anyone with Overall/Read permission to modify this data.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | all_versions_of_scp_publisher_plugin | — | — |
| jenkins | build-publisher_plugin | — | — |
| jenkins | dependency_graph_viewer | <= 0.12 | — |
| jenkins | dependency_graph_viewer_plugin | — | — |
| jenkins | multijob_plugin | — | — |
| jenkins | scp_publisher_plugin | — | — |
| jenkins | urls_provided_by_global-build-stats_plugin | — | — |
CVSS provenance
nvdv3.04.3MEDIUMCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Jenkins Dependency Graph Viewer plugin vulnerable to missing permission checks
osv·2022-05-13
CVE-2017-1000388 [MEDIUM] Jenkins Dependency Graph Viewer plugin vulnerable to missing permission checks
Jenkins Dependency Graph Viewer plugin vulnerable to missing permission checks
Jenkins Dependency Graph Viewer plugin 0.12 and earlier did not perform permission checks for the API endpoint that modifies the dependency graph, allowing anyone with Overall/Read permission to modify this data.
GHSA
Jenkins Dependency Graph Viewer plugin vulnerable to missing permission checks
ghsa·2022-05-13
CVE-2017-1000388 [MEDIUM] CWE-862 Jenkins Dependency Graph Viewer plugin vulnerable to missing permission checks
Jenkins Dependency Graph Viewer plugin vulnerable to missing permission checks
Jenkins Dependency Graph Viewer plugin 0.12 and earlier did not perform permission checks for the API endpoint that modifies the dependency graph, allowing anyone with Overall/Read permission to modify this data.
Jenkins
Jenkins Security Advisory 2017-10-23
vendor_jenkins·2017-10-23·CVSS 5.4
CVE-2017-1000386 [MEDIUM] Jenkins Security Advisory 2017-10-23
Title: Jenkins Security Advisory 2017-10-23
Jenkins Security Advisory 2017-10-23
This advisory announces vulnerabilities in these Jenkins plugins:
Active Choices (uno-choice)
Build-Publisher
Dependency Graph Viewer
global-build-stats
Multijob
SCP publisher
Description
Persisted Cross-Site Scripting vulnerability in Active Choices plugin
SECURITY-470 / CVE-2017-1000386
Active Choices plugin allowed users with Job/Configure permission to provide arbitrary HTML to be shown on the Build With Parameters page through the Active Choices Reactive Reference Parameter type.
This could include, for example, arbitrary JavaScript.
Active Choices now sanitizes the HTML inserted on the Build With Parameters page if and only if the sc
No detection rules found.
No public exploits indexed.
2018-01-26
Published