Description

jenkins before versions 2.44, 2.32.2 is vulnerable to an information disclosure vulnerability in search suggestions (SECURITY-385). The autocomplete feature on the search box discloses the names of the views in its suggestions, including the ones for which the current user does not have access to.

Remediation

References

https://github.com/jenkinsci/jenkins/commit/13905d8224899ba7332fe9af4e330ea96a2ae319

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2609

http://www.securityfocus.com/bid/95964

Related Vulnerabilities

CVE-2021-3757 Vulnerability in npm package immer

CVE-2020-12668 Vulnerability in maven package com.hubspot.jinjava:jinjava

CVE-2020-28052 Vulnerability in maven package org.bouncycastle:bcprov-jdk15to18

CVE-2020-1695 Vulnerability in maven package org.jboss.resteasy:resteasy-core

CVE-2013-2160 Vulnerability in maven package org.codehaus.woodstox:woodstox-core-asl

Severity

Medium

Classification

CWE-200 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Patch Third Party Advisory Issue Tracking VDB Entry