CVE-2017-1000401

Description

The Jenkins 2.73.1 and earlier, 2.83 and earlier default form control for passwords and other secrets, , supports form validation (e.g. for API keys). The form validation AJAX requests were sent via GET, which could result in secrets being logged to a HTTP access log in non-default configurations of Jenkins, and made available to users with access to these log files. Form validation for is now always sent via POST, which is typically not logged.

Risk Information

Base Score

2.2

MODERATE

Vector

CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

EPSS Score

Exploitation Probability

0.039

Associated Vulnerability

Vulnerability	OS Platform
Multiple vulnerabilities affected in Jenkins 2.83	Windows
Multiple vulnerabilities are fixed in Jenkins-Core 2.73.2	Windows
Multiple vulnerabilities are fixed in Jenkins-Core 2.84	Windows
Multiple vulnerabilities affected in Jenkins 2.83 (For Ubuntu)	Linux
Multiple vulnerabilities affected in Jenkins 2.83 (For Debian)	Linux
Multiple vulnerabilities affected in Jenkins 2.83 (For Centos)	Linux
Multiple vulnerabilities affected in Jenkins 2.83 (For RedHat)	Linux
Multiple vulnerabilities affected in Jenkins 2.83 (For Suse)	Linux
Multiple vulnerabilities are fixed in Jenkins-Core for Linux 2.73.2	Linux
Multiple vulnerabilities are fixed in Jenkins-Core for Linux 2.84	Linux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234