CVE-2018-1000169 — Sensitive Information Exposure in Jenkins

CWE-200 — Sensitive Information Exposure CWE-209 — Information Exposure via Error Message7 documents6 sources

Severity

5.3MEDIUMNVD

EPSS

0.2%

top 59.84%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Jenkins Core Jenkins LTS +1 more

Timeline

PublishedApr 16

Latest updateMay 14

Description

An exposure of sensitive information vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in CLICommand.java and ViewOptionHandler.java that allows unauthorized attackers to confirm the existence of agents or views with an attacker-specified name by sending a CLI command to Jenkins.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages4 packages

▶NVDjenkins/jenkins2.105+1

▶jenkinsjenkins/jenkins_lts

▶jenkinsjenkins/jenkins_core

▶jenkinsjenkins/jenkins_weekly

🔴Vulnerability Details

OSV

Exposure of Sensitive Information to an Unauthorized Actor in Jenkins↗2022-05-14

▶

GHSA

Exposure of Sensitive Information to an Unauthorized Actor in Jenkins↗2022-05-14

▶

📋Vendor Advisories

Red Hat

jenkins: CLI leaked existence of views and agents with attacker-specified names to users without Overall/Read permission (SECURITY-754)↗2018-04-11

▶

Jenkins

Jenkins Security Advisory 2018-04-11↗2018-04-11

▶

💬Community

Bugzilla

CVE-2018-1000169 CVE-2018-1000170 jenkins: various flaws [fedora-all]↗2018-04-13

▶

Bugzilla

CVE-2018-1000169 jenkins: CLI leaked existence of views and agents with attacker-specified names to users without Overall/Read permission (SECURITY-754)↗2018-04-13

▶