CVE-2017-2611

EUVD-2022-2082
Jenkins before versions 2.44, 2.32.2 is vulnerable to an insufficient permission check for periodic processes (SECURITY-389). The URLs /workspaceCleanup and /fingerprintCleanup did not perform permission checks, allowing users with read access to Jenkins to trigger these background processes (that are otherwise performed daily), possibly causing additional load on Jenkins master and agents.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
redhatCNA
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 52%
Affected Products (NVD)
VendorProductVersion
jenkinsjenkins
𝑥
< 2.32.2
jenkinsjenkins
𝑥
< 2.44
redhatopenshift
2.0
redhatopenshift
3.0
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
jenkins
precise
ignored
trusty
dne
xenial
dne
yakkety
dne
zesty
dne
Common Weakness Enumeration
References
http://www.securityfocus.com/bid/95956
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2611
https://github.com/jenkinsci/jenkins/commit/97a61a9fe55f4c16168c123f98301a5173b9fa86
https://jenkins.io/security/advisory/2017-02-01/
http://www.securityfocus.com/bid/95956
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2611
https://github.com/jenkinsci/jenkins/commit/97a61a9fe55f4c16168c123f98301a5173b9fa86
https://jenkins.io/security/advisory/2017-02-01/