CVE-2017-1000401

Impact:
Low
Public Date:
2017-10-11
CWE:
CWE-532
Bugzilla:
1501819: CVE-2017-1000401 jenkins: Form validation for password fields was sent via GET (SECURITY-616)

The MITRE CVE dictionary describes this issue as:

The Jenkins 2.73.1 and earlier, 2.83 and earlier default form control for passwords and other secrets, <f:password/>, supports form validation (e.g. for API keys). The form validation AJAX requests were sent via GET, which could result in secrets being logged to a HTTP access log in non-default configurations of Jenkins, and made available to users with access to these log files. Form validation for <f:password/> is now always sent via POST, which is typically not logged.

Find out more about CVE-2017-1000401 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v3 metrics

NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.

CVSS3 Base Score 2.2
CVSS3 Base Metrics CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
Attack Vector Local
Attack Complexity High
Privileges Required Low
User Interaction Required
Scope Unchanged
Confidentiality Low
Integrity Impact None
Availability Impact None

Affected Packages State

Platform Package State
Red Hat OpenShift Enterprise 3 jenkins Affected

External References

Last Modified

CVE description copyright © 2017, The MITRE Corporation

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.