Vulnerability Details : CVE-2017-2611
Jenkins before versions 2.44, 2.32.2 is vulnerable to an insufficient permission check for periodic processes (SECURITY-389). The URLs /workspaceCleanup and /fingerprintCleanup did not perform permission checks, allowing users with read access to Jenkins to trigger these background processes (that are otherwise performed daily), possibly causing additional load on Jenkins master and agents.
Products affected by CVE-2017-2611
- cpe:2.3:a:redhat:openshift:2.0:*:*:*:enterprise:*:*:*
- cpe:2.3:a:redhat:openshift:3.0:*:*:*:enterprise:*:*:*
- cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*
Threat overview for CVE-2017-2611
Top countries where our scanners detected CVE-2017-2611
Top open port discovered on systems with this issue
80
IPs affected by CVE-2017-2611 3,351
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2017-2611!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2017-2611
0.25%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 63 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-2611
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.0
|
MEDIUM | AV:N/AC:L/Au:S/C:N/I:N/A:P |
8.0
|
2.9
|
NIST | |
4.3
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L |
2.8
|
1.4
|
Red Hat, Inc. | |
4.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L |
2.8
|
1.4
|
NIST |
CWE ids for CVE-2017-2611
-
The product does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique.Assigned by: secalert@redhat.com (Secondary)
-
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-2611
-
https://jenkins.io/security/advisory/2017-02-01/
Jenkins Security Advisory 2017-02-01Vendor Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2611
1418729 – (CVE-2017-2611) CVE-2017-2611 jenkins: Insufficient permission check for periodic processes (SECURITY-389)Issue Tracking;Third Party Advisory
-
https://github.com/jenkinsci/jenkins/commit/97a61a9fe55f4c16168c123f98301a5173b9fa86
Merge pull request #99 from jenkinsci-cert/SECURITY-389 · jenkinsci/jenkins@97a61a9 · GitHubThird Party Advisory
-
http://www.securityfocus.com/bid/95956
Jenkins CVE-2017-2611 Multiple Security Bypass VulnerabilitiesThird Party Advisory;VDB Entry
Jump to