{"id":"GHSA-6967-9vvv-4cmm","summary":"Exposure of Sensitive Information to an Unauthorized Actor in Jenkins","details":"Jenkins before versions 2.44 and 2.32.2 is vulnerable to an information exposure in the internal API that allows access to item names that should not be visible (SECURITY-380). This only affects anonymous users (other users legitimately have access) that were able to get a list of items via an UnprotectedRootAction.","aliases":["CVE-2017-2606"],"modified":"2024-02-20T05:37:15.492068Z","published":"2022-05-13T01:36:54Z","database_specific":{"nvd_published_at":"2018-05-08T20:29:00Z","github_reviewed":true,"cwe_ids":["CWE-200"],"severity":"MODERATE","github_reviewed_at":"2022-07-01T17:47:58Z"},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2017-2606"},{"type":"WEB","url":"https://github.com/jenkinsci/jenkins/commit/09cfbc9cd5c9df7c763bc976b7f5c51266b63719"},{"type":"WEB","url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2606"},{"type":"PACKAGE","url":"https://github.com/jenkinsci/jenkins"},{"type":"WEB","url":"https://jenkins.io/security/advisory/2017-02-01"},{"type":"WEB","url":"http://www.securityfocus.com/bid/95962"}],"affected":[{"package":{"name":"org.jenkins-ci.main:jenkins-core","ecosystem":"Maven","purl":"pkg:maven/org.jenkins-ci.main/jenkins-core"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.32.2"}]}],"versions":["1.396","1.397","1.398","1.399","1.400","1.401","1.403","1.404","1.405","1.406","1.407","1.408","1.409","1.409.1","1.409.2","1.409.3","1.410","1.411","1.412","1.413","1.414","1.415","1.416","1.417","1.418","1.419","1.420","1.421","1.422","1.423","1.424","1.424.1","1.424.2","1.424.3","1.424.4","1.424.5","1.424.6","1.425","1.426","1.427","1.428","1.429","1.430","1.431","1.432","1.433","1.434","1.435","1.436","1.437","1.438","1.439","1.440","1.441","1.442","1.443","1.444","1.445","1.446","1.447","1.447.1","1.447.2","1.448","1.449","1.450","1.451","1.452","1.453","1.454","1.455","1.456","1.457","1.458","1.459","1.460","1.461","1.462","1.463","1.464","1.465","1.466","1.466.1","1.466.2","1.467","1.468","1.469","1.470","1.471","1.472","1.473","1.474","1.475","1.476","1.477","1.478","1.479","1.480","1.480.1","1.480.2","1.480.3","1.481","1.482","1.483","1.484","1.485","1.486","1.487","1.488","1.489","1.490","1.491","1.492","1.493","1.494","1.495","1.496","1.497","1.498","1.499","1.500","1.501","1.502","1.503","1.504","1.505","1.506","1.507","1.508","1.509","1.509.1","1.509.2","1.509.2.JENKINS-14362-jzlib","1.509.2.JENKINS-8856-diag","1.509.3","1.509.3.JENKINS-14362-jzlib","1.509.4","1.510","1.511","1.512","1.513","1.514","1.515","1.516","1.516.JENKINS-14362-jzlib","1.517","1.518","1.518.JENKINS-14362-jzlib","1.519","1.520","1.521","1.522","1.523","1.524","1.525","1.526","1.527","1.528","1.529","1.530","1.531","1.532","1.532.1","1.532.1.JENKINS-19453","1.532.2","1.532.2.JENKINS-21622-diag","1.532.2.JENKINS-22395-diag","1.532.3","1.532.3.JENKINS-22395","1.532.3.JENKINS-22395-2","1.533","1.534","1.535","1.536","1.537","1.538","1.539","1.540","1.541","1.542","1.543","1.544","1.545","1.546","1.547","1.548","1.549","1.550","1.551","1.552","1.553","1.554","1.554.1","1.554.2","1.554.3","1.554.3.JENKINS-18065-ALLRM-all","1.554.3.JENKINS-18065-JENKINS-23945","1.555","1.556","1.557","1.558","1.559","1.560","1.561","1.562","1.563","1.564","1.565","1.565.1","1.565.1.JENKINS-22395-dropLinks","1.565.2","1.565.3","1.566","1.567","1.568","1.569","1.570","1.571","1.572","1.573","1.574","1.575","1.576","1.577","1.578","1.579","1.580","1.580.1","1.580.2","1.580.3","1.581","1.582","1.583","1.584","1.585","1.586","1.587","1.588","1.589","1.590","1.591","1.592","1.593","1.594","1.595","1.596","1.596.1","1.596.2","1.596.3","1.597","1.598","1.599","1.600","1.601","1.602","1.604","1.605","1.606","1.607","1.608","1.609","1.609.1","1.609.2","1.609.3","1.610","1.611","1.612","1.613","1.614","1.615","1.616","1.617","1.618","1.619","1.620","1.621","1.622","1.623","1.624","1.625","1.625.1","1.625.2","1.625.3","1.626","1.627","1.628","1.629","1.630","1.631","1.632","1.633","1.634","1.635","1.636","1.637","1.638","1.639","1.640","1.641","1.642","1.642.1","1.642.2","1.642.3","1.642.4","1.643","1.644","1.645","1.646","1.647","1.648","1.649","1.650","1.651","1.651.1","1.651.2","1.651.3","1.652","1.653","1.654","1.655","1.656","1.657","1.658","2.0","2.0-alpha-1","2.0-alpha-2","2.0-alpha-3","2.0-alpha-4","2.0-beta-1","2.0-beta-2","2.0-rc-1","2.1","2.10","2.11","2.12","2.13","2.14","2.15","2.16","2.17","2.18","2.19","2.19.1","2.19.2","2.19.3","2.19.4","2.2","2.20","2.21","2.22","2.23","2.24","2.25","2.26","2.27","2.28","2.29","2.3","2.30","2.31","2.32","2.32.1","2.4","2.5","2.6","2.7","2.7.1","2.7.2","2.7.3","2.7.4","2.8","2.9"],"database_specific":{"last_known_affected_version_range":"\u003c= 2.32.1","source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-6967-9vvv-4cmm/GHSA-6967-9vvv-4cmm.json"}},{"package":{"name":"org.jenkins-ci.main:jenkins-core","ecosystem":"Maven","purl":"pkg:maven/org.jenkins-ci.main/jenkins-core"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.34"},{"fixed":"2.44"}]}],"versions":["2.34","2.35","2.36","2.37","2.38","2.39","2.40","2.41","2.42","2.43"],"database_specific":{"last_known_affected_version_range":"\u003c= 2.43","source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-6967-9vvv-4cmm/GHSA-6967-9vvv-4cmm.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}]}