Description

The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /queue/item/(ID)/api showed information about tasks in the queue (typically builds waiting to start). This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API endpoint is now only available for tasks that the current user has access to.

Remediation

References

https://jenkins.io/security/advisory/2017-10-11/

Related Vulnerabilities

CVE-2023-35157 Vulnerability in maven package org.xwiki.platform:xwiki-platform-oldcore

CVE-2022-36884 Vulnerability in maven package org.jenkins-ci.plugins:git

CVE-2014-7810 Vulnerability in maven package org.mortbay.jasper:apache-el

CVE-2023-25753 Vulnerability in maven package org.apache.shenyu:shenyu-admin

CVE-2017-1000400 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

Severity

Medium

Classification

CWE-200 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Vendor Advisory