CVE-2017-1000395

Description

Jenkins 2.73.1 and earlier, 2.83 and earlier provides information about Jenkins user accounts which is generally available to anyone with Overall/Read permissions via the /user/(username)/api remote API. This included e.g. Jenkins users email addresses if the Mailer Plugin is installed. The remote API now no longer includes information beyond the most basic (user ID and name) unless the user requesting it is a Jenkins administrator.

Risk Information

Base Score

4.3

MODERATE

Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS Score

Exploitation Probability

0.145

Associated Vulnerability

Vulnerability	OS Platform
Multiple vulnerabilities affected in Jenkins 2.83	Windows
Multiple vulnerabilities are fixed in Jenkins-Core 2.73.2	Windows
Multiple vulnerabilities are fixed in Jenkins-Core 2.84	Windows
Multiple vulnerabilities affected in Jenkins 2.83 (For Ubuntu)	Linux
Multiple vulnerabilities affected in Jenkins 2.83 (For Debian)	Linux
Multiple vulnerabilities affected in Jenkins 2.83 (For Centos)	Linux
Multiple vulnerabilities affected in Jenkins 2.83 (For RedHat)	Linux
Multiple vulnerabilities affected in Jenkins 2.83 (For Suse)	Linux
Multiple vulnerabilities are fixed in Jenkins-Core for Linux 2.73.2	Linux
Multiple vulnerabilities are fixed in Jenkins-Core for Linux 2.84	Linux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234