CVE-2017-1000391 — Improper Input Validation in Jenkins

CWE-20 — Improper Input Validation7 documents6 sources

Severity

7.3HIGHNVD

EPSS

0.2%

top 62.49%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Jenkins Core Jenkins LTS +1 more

Timeline

PublishedJan 26

Latest updateMay 14

Description

Jenkins versions 2.88 and earlier and 2.73.2 and earlier stores metadata related to 'people', which encompasses actual user accounts, as well as users appearing in SCM, in directories corresponding to the user ID on disk. These directories used the user ID for their name without additional escaping, potentially resulting in problems like overwriting of unrelated configuration files.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:HExploitability: 2.1 | Impact: 5.2

Affected Packages4 packages

▶NVDjenkins/jenkins2.73.2+1

▶jenkinsjenkins/jenkins_lts

▶jenkinsjenkins/jenkins_core

▶jenkinsjenkins/jenkins_weekly

🔴Vulnerability Details

GHSA

Improper Input Validation in Jenkins↗2022-05-14

▶

OSV

Improper Input Validation in Jenkins↗2022-05-14

▶

📋Vendor Advisories

Red Hat

jenkins: Unsafe use of user names as directory names↗2017-11-09

▶

Jenkins

Jenkins Security Advisory 2017-11-08↗2017-11-08

▶

💬Community

Bugzilla

CVE-2017-1000391 CVE-2017-1000392 jenkins: various flaws [fedora-all]↗2017-11-23

▶

Bugzilla

CVE-2017-1000391 jenkins: Unsafe use of user names as directory names↗2017-11-23

▶