{"id":"CVE-2017-2598","details":"Jenkins before versions 2.44, 2.32.2 uses AES ECB block cipher mode without IV for encrypting secrets which makes Jenkins and the stored secrets vulnerable to unnecessary risks (SECURITY-304).","aliases":["GHSA-r9q2-3r6x-qmgp"],"modified":"2026-04-11T04:38:18.821187Z","published":"2018-05-23T13:29:00.217Z","references":[{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/95948"},{"type":"ADVISORY","url":"https://jenkins.io/security/advisory/2017-02-01/"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2598"},{"type":"FIX","url":"https://github.com/jenkinsci/jenkins/commit/e6aa166246d1734f4798a9e31f78842f4c85c28b"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jenkinsci/jenkins","events":[{"introduced":"0"},{"fixed":"5828e963ac26f209298c3fdfb7a3a49f2cc401d4"},{"introduced":"0"},{"fixed":"4992b15066ecd87428dcd204102f1158bbcc8b3a"},{"fixed":"e6aa166246d1734f4798a9e31f78842f4c85c28b"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.44"},{"introduced":"0"},{"fixed":"2.32.2"}]}}],"versions":["1.324-rc","1.325-rc","1.327-rc","1.328-rc","builds/101","builds/102","builds/103","builds/104","builds/105","builds/106","builds/107","builds/108","builds/109","builds/110","builds/112","builds/113","builds/114","builds/115","builds/116","builds/117","builds/118","builds/119","builds/120","builds/121","builds/122","builds/123","builds/124","builds/125","builds/126","builds/127","builds/128","builds/130","builds/131","builds/132","builds/133","builds/134","builds/135","builds/136","builds/137","builds/138","builds/139","builds/140","builds/141","builds/142","builds/143","builds/144","builds/145","builds/146","builds/147","builds/148","builds/149","builds/150","builds/151","builds/152","builds/153","builds/154","builds/155","builds/156","builds/157","builds/158","builds/16","builds/160","builds/161","builds/162","builds/163","builds/164","builds/165","builds/166","builds/168","builds/169","builds/17","builds/170","builds/171","builds/172","builds/173","builds/174","builds/176","builds/177","builds/179","builds/18","builds/180","builds/181","builds/182","builds/183","builds/184","builds/185","builds/186","builds/187","builds/188","builds/189","builds/190","builds/191","builds/192","builds/193","builds/194","builds/195","builds/196","builds/197","builds/198","builds/199","builds/2","builds/200","builds/201","builds/202","builds/203","builds/204","builds/205","builds/206","builds/207","builds/209","builds/21","builds/210","builds/211","builds/212","builds/213","builds/214","builds/215","builds/216","builds/217","builds/218","builds/219","builds/22","builds/220","builds/221","builds/222","builds/223","builds/224","builds/225","builds/227","builds/228","builds/229","builds/23","builds/230","builds/231","builds/232","builds/233","builds/234","builds/235","builds/236","builds/237","builds/238","builds/239","builds/24","builds/240","builds/241","builds/242","builds/243","builds/244","builds/245","builds/247","builds/248","builds/249","builds/250","builds/251","builds/254","builds/255","builds/256","builds/257","builds/258","builds/259","builds/26","builds/260","builds/262","builds/264","builds/265","builds/266","builds/267","builds/268","builds/269","builds/27","builds/270","builds/271","builds/272","builds/273","builds/274","builds/275","builds/276","builds/277","builds/278","builds/279","builds/28","builds/280","builds/281","builds/282","builds/284","builds/285","builds/286","builds/287","builds/288","builds/29","builds/290","builds/291","builds/293","builds/294","builds/295","builds/296","builds/297","builds/298","builds/299","builds/30","builds/300","builds/301","builds/302","builds/303","builds/304","builds/305","builds/306","builds/31","builds/32","builds/33","builds/338","builds/339","builds/34","builds/340","builds/341","builds/342","builds/343","builds/344","builds/345","builds/346","builds/348","builds/35","builds/350","builds/352","builds/353","builds/355","builds/356","builds/357","builds/358","builds/359","builds/36","builds/361","builds/363","builds/37","builds/370","builds/371","builds/372","builds/39","builds/40","builds/41","builds/42","builds/43","builds/44","builds/46","builds/47","builds/48","builds/49","builds/50","builds/51","builds/52","builds/53","builds/54","builds/55","builds/56","builds/77","builds/81","builds/82","builds/83","builds/85","builds/86","builds/89","builds/90","builds/92","builds/93","builds/94","changes/101","changes/102","changes/103","changes/104","changes/105","changes/106","changes/107","changes/108","changes/109","changes/110","changes/113","changes/114","changes/115","changes/116","changes/117","changes/118","changes/119","changes/120","changes/121","changes/122","changes/123","changes/124","changes/125","changes/126","changes/127","changes/128","changes/130","changes/131","changes/132","changes/133","changes/134","changes/135","changes/136","changes/137","changes/138","changes/139","changes/140","changes/141","changes/142","changes/143","changes/144","changes/145","changes/146","changes/147","changes/148","changes/149","changes/150","changes/151","changes/152","changes/153","changes/154","changes/155","changes/156","changes/157","changes/158","changes/16","changes/161","changes/162","changes/163","changes/164","changes/165","changes/166","changes/169","changes/17","changes/170","changes/171","changes/172","changes/173","changes/174","changes/176","changes/177","changes/179","changes/18","changes/180","changes/181","changes/182","changes/183","changes/184","changes/185","changes/186","changes/187","changes/188","changes/189","changes/190","changes/191","changes/192","changes/193","changes/194","changes/195","changes/196","changes/197","changes/198","changes/199","changes/2","changes/20","changes/200","changes/201","changes/202","changes/203","changes/204","changes/205","changes/206","changes/207","changes/209","changes/21","changes/210","changes/211","changes/212","changes/213","changes/214","changes/215","changes/216","changes/217","changes/218","changes/22","changes/220","changes/221","changes/222","changes/223","changes/224","changes/225","changes/228","changes/229","changes/23","changes/230","changes/231","changes/232","changes/233","changes/234","changes/235","changes/236","changes/237","changes/238","changes/239","changes/24","changes/240","changes/241","changes/242","changes/243","changes/244","changes/245","changes/248","changes/249","changes/250","changes/251","changes/255","changes/256","changes/257","changes/258","changes/259","changes/262","changes/265","changes/266","changes/267","changes/268","changes/269","changes/27","changes/270","changes/271","changes/272","changes/273","changes/274","changes/275","changes/276","changes/277","changes/278","changes/279","changes/28","changes/280","changes/281","changes/282","changes/284","changes/286","changes/287","changes/288","changes/29","changes/290","changes/291","changes/293","changes/294","changes/295","changes/296","changes/297","changes/298","changes/299","changes/30","changes/300","changes/301","changes/302","changes/303","changes/304","changes/305","changes/306","changes/31","changes/32","changes/338","changes/339","changes/34","changes/340","changes/342","changes/343","changes/344","changes/345","changes/346","changes/348","changes/35","changes/350","changes/352","changes/353","changes/356","changes/357","changes/358","changes/36","changes/361","changes/363","changes/37","changes/370","changes/371","changes/372","changes/39","changes/40","changes/41","changes/42","changes/43","changes/44","changes/46","changes/47","changes/48","changes/49","changes/50","changes/51","changes/52","changes/53","changes/54","changes/55","changes/56","changes/76","changes/77","changes/79","changes/81","changes/82","changes/83","changes/85","changes/86","changes/89","changes/90","changes/92","changes/93","changes/94","jenkins-1.604","jenkins-1.605","jenkins-1.606","jenkins-1.607","jenkins-1.608","jenkins-1.609","jenkins-1.610","jenkins-1.614","jenkins-1.615","jenkins-1.616","jenkins-1.617","jenkins-1.618","jenkins-1.619","jenkins-1.620","jenkins-1.621","jenkins-1.622","jenkins-1.623","jenkins-1.624","jenkins-1.625","jenkins-1.625.1-rc1","jenkins-1.625.1-rc2","jenkins-1.625.2","jenkins-1.625.3","jenkins-1.625.3-rc1","jenkins-1.626","jenkins-1.627","jenkins-1.628","jenkins-1.638","jenkins-1.639","jenkins-1.640","jenkins-1.641","jenkins-1.642","jenkins-1.643","jenkins-1.644","jenkins-1.645","jenkins-1.646","jenkins-1.647","jenkins-1.648","jenkins-1.649","jenkins-1.650","jenkins-1.651","jenkins-1.652","jenkins-1.653","jenkins-1.654","jenkins-1.655","jenkins-1.656","jenkins-2.10","jenkins-2.11","jenkins-2.12","jenkins-2.13","jenkins-2.14","jenkins-2.15","jenkins-2.16","jenkins-2.17","jenkins-2.18","jenkins-2.19","jenkins-2.20","jenkins-2.21","jenkins-2.22","jenkins-2.23","jenkins-2.24","jenkins-2.25","jenkins-2.26","jenkins-2.27","jenkins-2.28","jenkins-2.29","jenkins-2.3","jenkins-2.30","jenkins-2.31","jenkins-2.32","jenkins-2.33","jenkins-2.34","jenkins-2.35","jenkins-2.36","jenkins-2.37","jenkins-2.4","jenkins-2.5","jenkins-2.6","jenkins-2.7","jenkins-2.8","jenkins-2.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-2598.json","vanir_signatures":[{"source":"https://github.com/jenkinsci/jenkins/commit/e6aa166246d1734f4798a9e31f78842f4c85c28b","id":"CVE-2017-2598-06766944","target":{"file":"core/src/main/java/jenkins/security/CryptoConfidentialKey.java"},"signature_version":"v1","digest":{"line_hashes":["305930840073233313123990364924610852800","100644309666103830509496003903036411659","313292731240792924623784985188605567372","108882712108668736939852602260158592270","149121414583155512218669212473278056799","250757757161727948415098803085282142960","30062542598841474569723778500396641052","119576118030318236888166482175989254773","121546935809640601845767623099006375051","55361232763776155559235829702719287466","172981307834300264250726167084180319968","168045766569962511172611379438404464692","263047235748066449811532123098487566990","112474894046403871779152076070222012955","234545489481274616858647802257592980873","79692683047230020514320084758904897986","60675184202234922548961561113243509180","209460712172585494472994539575026201258","113195073649416367237167774633643284306","88348961859958872857767726866082519414","14179938515306383417474225906630870030","15916279158638679346064015611078678101","234078675171227240707539746729492422892","156166100799398120780489712239861768694","204988234880346263708383618020948153885","176358385314685072692360450268969632166"],"threshold":0.9},"signature_type":"Line","deprecated":false},{"source":"https://github.com/jenkinsci/jenkins/commit/e6aa166246d1734f4798a9e31f78842f4c85c28b","id":"CVE-2017-2598-105ad956","target":{"function":"decrypt","file":"core/src/main/java/jenkins/security/CryptoConfidentialKey.java"},"signature_version":"v1","digest":{"function_hash":"178256409736214979409355304043010861470","length":214},"signature_type":"Function","deprecated":false},{"source":"https://github.com/jenkinsci/jenkins/commit/e6aa166246d1734f4798a9e31f78842f4c85c28b","id":"CVE-2017-2598-262f8113","target":{"function":"getEncryptedValue","file":"core/src/main/java/hudson/util/Secret.java"},"signature_version":"v1","digest":{"function_hash":"165424836621897746741884565636234253993","length":308},"signature_type":"Function","deprecated":false},{"source":"https://github.com/jenkinsci/jenkins/commit/e6aa166246d1734f4798a9e31f78842f4c85c28b","id":"CVE-2017-2598-4c031f83","target":{"function":"verifyRewrite","file":"test/src/test/java/jenkins/security/RekeySecretAdminMonitorTest.java"},"signature_version":"v1","digest":{"function_hash":"330607929831063614150581042292122657403","length":216},"signature_type":"Function","deprecated":false},{"source":"https://github.com/jenkinsci/jenkins/commit/e6aa166246d1734f4798a9e31f78842f4c85c28b","id":"CVE-2017-2598-59335bc8","target":{"file":"test/src/test/java/lib/form/PasswordTest.java"},"signature_version":"v1","digest":{"line_hashes":["292850070707343144351431530280666686303","308044210002267469415417156876138737276","121072328190602009224634822675984923794","245271826491785023594386187532326382415","202022143650792085784476165375378305035","97771546760145790436599389798953138114","26828177916945003614276279480349379813","324096270216040387283087269494087711365","304606942987393169855477498063129906694","190146291131391555301173190917746572985","264018051519231566346011122547649554004","105073235807074478318240048638162457808","113754311809707387942615065180270050155","71709773217189607385060612693942280862","181508857781612092153158622625866356940","12902642626946056654147404084300622349","41740308938485563498010196107298452889","38563025274070683664323925376715419504","49354449380397009256747378159454397432","331220007398456206018667314982883420477","146957598012947898264866828182328376810","265242560357755784598970641515928612682","314466722840285422853669442417410391083","88060203327963095130040511989052923999","129824265909121034815818034491736839540","4908159761260956310653610720156700710","121977149501748468060138055911135149463","239692844036686056903046113715130965775","57154870667515740060968211013622087797","170651440340779813827584627708905929915","126148306384147410453115761200196652722","293099863535944301099257682154496257215","312707754615937307372440783266349942766","182843428834920096089439853430967728537","34270051259597902512653610220737128491","212179698281365517995769480808661878507","3547048814652970554946693417293357036","307002954280285568828721645459981883228"],"threshold":0.9},"signature_type":"Line","deprecated":false},{"source":"https://github.com/jenkinsci/jenkins/commit/e6aa166246d1734f4798a9e31f78842f4c85c28b","id":"CVE-2017-2598-75a5a6ed","target":{"function":"getKey","file":"core/src/main/java/jenkins/security/CryptoConfidentialKey.java"},"signature_version":"v1","digest":{"function_hash":"125283907686778558164068681576281705040","length":410},"signature_type":"Function","deprecated":false},{"source":"https://github.com/jenkinsci/jenkins/commit/e6aa166246d1734f4798a9e31f78842f4c85c28b","id":"CVE-2017-2598-823560da","target":{"file":"core/src/main/java/hudson/util/SecretRewriter.java"},"signature_version":"v1","digest":{"line_hashes":["106408138319883536945882098640894873154","71533143255427233937060512688579391252","41530346151740525616002343149702549308","225807873219130633742915241656476853375","302022528013118328010972825242232557682","238373161063521608065538046931034466454","212627756188674952140787056772373058421","54474097477615317311179774595292977953"],"threshold":0.9},"signature_type":"Line","deprecated":false},{"source":"https://github.com/jenkinsci/jenkins/commit/e6aa166246d1734f4798a9e31f78842f4c85c28b","id":"CVE-2017-2598-8af81472","target":{"function":"SecretRewriter","file":"core/src/main/java/hudson/util/SecretRewriter.java"},"signature_version":"v1","digest":{"function_hash":"115877833107357959520839674034878927897","length":117},"signature_type":"Function","deprecated":false},{"source":"https://github.com/jenkinsci/jenkins/commit/e6aa166246d1734f4798a9e31f78842f4c85c28b","id":"CVE-2017-2598-9afe70ca","target":{"function":"getLegacyKey","file":"core/src/main/java/hudson/util/Secret.java"},"signature_version":"v1","digest":{"function_hash":"325053493821840845664075416200084660247","length":174},"signature_type":"Function","deprecated":false},{"source":"https://github.com/jenkinsci/jenkins/commit/e6aa166246d1734f4798a9e31f78842f4c85c28b","id":"CVE-2017-2598-a4b2cd27","target":{"function":"decrypt","file":"core/src/main/java/hudson/util/Secret.java"},"signature_version":"v1","digest":{"function_hash":"180425839949994333081042184033730948197","length":509},"signature_type":"Function","deprecated":false},{"source":"https://github.com/jenkinsci/jenkins/commit/e6aa166246d1734f4798a9e31f78842f4c85c28b","id":"CVE-2017-2598-ae9c36db","target":{"function":"testExposedCiphertext","file":"test/src/test/java/lib/form/PasswordTest.java"},"signature_version":"v1","digest":{"function_hash":"119708651988034455660723248229168229852","length":3241},"signature_type":"Function","deprecated":false},{"source":"https://github.com/jenkinsci/jenkins/commit/e6aa166246d1734f4798a9e31f78842f4c85c28b","id":"CVE-2017-2598-bbb60371","target":{"file":"core/src/main/java/hudson/util/Secret.java"},"signature_version":"v1","digest":{"line_hashes":["108778818747154763912411705374200843333","32814171857699789234983362796491440335","83582254124193301484055635715482484252","287059441794560341823316998649643659493","294403974051299171607325668528707530088","78350342083934280480464066081412774846","70118911270177300713463695631126743449","294574030278181506619639696431386880077","290311530173164268922655019495086776861","102103038129357179595235162207365790385","31874088406163539236482660250190194998","317029369170599907332184045558601457489","49400514978174794283618774480213932147","307789000055070314248633822747437860231","230476944425008866187334851880094453498","47609479765175956042924154107481332676","204331064871461976181452003311709659470","271167311042152379196736935209572280615","185772671872972787730453198028200745338","4582878183913113557497335385793494686","238220214471275456847664026873630118346","224979638282744069404637404804949642331","21649299418901685771498744493797902191","13998444267587279842618120466194025017","234182299030466815333048324812324343481","218488892011837530629820829173596605541","273091483499970561009156497699760879833","230370306346559873411114134494710191923","14045415954648865942323821449042085288","270612321360226961401951678203335263606","274662182251227138474349022710656851979","161558788559515039550248412551623156649","14652033176071594424115999916651352439","81175363527838353513526151287363982297","186980193645824508187234161394888170528","229553523212673733416273056505447673874","241066512921928819052792525465155650669","69566145878603256091545058850095205109","335716370532802559553837978105470272093","45142951388858507441109861482213250650","55558652106880556703298820243207228958","226958288794547253355738673960887925777","112989781005170796170377811671998511462","209309321310697786719902723745566190950","336573598611442657031481612480907734203","10912935424914227633134981299675910476","93694958405299168480087244781999986789","150261084795625629560233429831412798537","201590903131862703273703053979004533611","206345718054997878249999670881546523441","230234388718581167904159616322234468531","325820235344789872637905772988411179724","13104509221417474918677809291695082852","278010993100689383938966047027922515959","330254640127954420530942751693769308492","222066494241333374166044425273239283553","77331399266922681318237145002631226599","256185226392959824761937526460003688610","81317095792430749414121051886991788478","308697555041124401665591724856850151426","24611969205046981243300495253705218010","313270826093689777018709525726558829807","129655140315413036593063116597004081319","38333929436334428045845350985038638878","72171639300466543008872798916276279455","212733705449188661777705008534988643650","127036494324107835007593284088170981095","212131025021380765194222956657463712781","67426103063149866038120018736221634209","283798439497888211746003078904834212795"],"threshold":0.9},"signature_type":"Line","deprecated":false},{"source":"https://github.com/jenkinsci/jenkins/commit/e6aa166246d1734f4798a9e31f78842f4c85c28b","id":"CVE-2017-2598-ce802f03","target":{"file":"test/src/test/java/jenkins/security/RekeySecretAdminMonitorTest.java"},"signature_version":"v1","digest":{"line_hashes":["146265969059877492589145810004099763336","244047347682967846087061386173322727786","110211514801789698149132458306957193833","318756106178843010490038104744034713615","49748824931406049190045109612560891751","86584635276990748092065684377744259840","33488473700166129987741704222711253795","24918360031619479669997786789004024319","251568277355803251445594909731763690290","339546340710824123153831928740664825317","63408120097994420467351284773953136773","216793814520058723608354003728905438862","81435529772457388560165162310965105121","323138350416142002112366339575043407668","242516246369379033053865032192817498263","196891271952530223680658734919913750934"],"threshold":0.9},"signature_type":"Line","deprecated":false},{"source":"https://github.com/jenkinsci/jenkins/commit/e6aa166246d1734f4798a9e31f78842f4c85c28b","id":"CVE-2017-2598-d4a12ac4","target":{"function":"encrypt","file":"core/src/main/java/jenkins/security/CryptoConfidentialKey.java"},"signature_version":"v1","digest":{"function_hash":"109922759028387727897896229694301971970","length":214},"signature_type":"Function","deprecated":false},{"source":"https://github.com/jenkinsci/jenkins/commit/e6aa166246d1734f4798a9e31f78842f4c85c28b","id":"CVE-2017-2598-e1d50562","target":{"function":"tryDecrypt","file":"core/src/main/java/hudson/util/Secret.java"},"signature_version":"v1","digest":{"function_hash":"80144820035017481901147084775222631966","length":346},"signature_type":"Function","deprecated":false},{"source":"https://github.com/jenkinsci/jenkins/commit/e6aa166246d1734f4798a9e31f78842f4c85c28b","id":"CVE-2017-2598-fca81e15","target":{"function":"tryRewrite","file":"core/src/main/java/hudson/util/SecretRewriter.java"},"signature_version":"v1","digest":{"function_hash":"276993342190714168868998899465521159785","length":447},"signature_type":"Function","deprecated":false}],"vanir_signatures_modified":"2026-04-11T04:38:18Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}]}