CVE-2017-2611 Information

Description

Jenkins before versions 2.44 2.32.2 is vulnerable to an insufficient permission check for periodic processes (SECURITY-389). The URLs /workspaceCleanup and /fingerprintCleanup did not perform permission checks allowing users with read access to Jenkins to trigger these background processes (that are otherwise performed daily) possibly causing additional load on Jenkins master and agents.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Reference

http://www.securityfocus.com/bid/95956 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2611 https://github.com/jenkinsci/jenkins/commit/97a61a9fe55f4c16168c123f98301a5173b9fa86 https://jenkins.io/security/advisory/2017-02-01/

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

NONE

Base Score

LOW

Base Severity

4.3