CVE-2017-2654

CWE-200Information Exposure8 documents7 sources
Severity
5.3MEDIUM
EPSS
0.0%
top 91.76%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Jenkins Email Extension[unknown] Jenkins-email-ext
Timeline
PublishedAug 6
Latest updateMay 13

Description

jenkins-email-ext before version 2.57.1 is vulnerable to an Information Exposure. The Email Extension Plugins is able to send emails to a dynamically created list of users based on the changelogs, like authors of SCM changes since the last successful build. This could in some cases result in emails being sent to people who have no user account in Jenkins, and in rare cases even people who were not involved in whatever project was being built, due to some mapping based on the local-part of email

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 2.2 | Impact: 1.4

Affected Packages3 packages

CVEListV5[unknown]/jenkins-email-ext2.57.1

🔴Vulnerability Details

3
GHSA
Emails were sent to addresses not associated with actual users of Jenkins by Email Extension Plugin2022-05-13
OSV
Emails were sent to addresses not associated with actual users of Jenkins by Email Extension Plugin2022-05-13
CVEList
CVE-2017-2654: jenkins-email-ext before version 22018-08-06

📋Vendor Advisories

2
Red Hat
jenkins-email-ext: Emails were sent to addresses not associated with actual users of Jenkins by Mailer Plugin2017-03-20
Jenkins
Jenkins Security Advisory 2017-03-202017-03-20

💬Community

2
Bugzilla
CVE-2017-2654 jenkins-email-ext: Emails were sent to addresses not associated with actual users of Jenkins by Mailer Plugin2018-08-06
Bugzilla
CVE-2017-5849 netpbm: Calls TIFFRGBA with width and height parameters switched2017-02-06
CVE-2017-2654 (MEDIUM CVSS 5.3) | jenkins-email-ext before version 2. | cvebase.io