CVE-2017-2606: Information Exposure

May 8, 2018 (updated October 9, 2019)

Jenkins is vulnerable to an information exposure in the internal API that allows access to item names that should not be visible. This only affects anonymous users (other users legitimately have access) that were able to get a list of items via an UnprotectedRootAction.

References

www.securityfocus.com/bid/95962
bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2606
jenkins.io/security/advisory/2017-02-01/
nvd.nist.gov/vuln/detail/CVE-2017-2606

Code Behaviors & Features

Detect and mitigate CVE-2017-2606 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →