The Jenkins 2.73.1 and earlier, 2.83 and earlier default form control for passwords and other secrets, <f:password/>, supports form validation (e.g. for API keys). The form validation AJAX requests were sent via GET, which could result in secrets being logged to a HTTP access log in non-default configurations of Jenkins, and made available to users with access to these log files. Form validation for <f:password/> is now always sent via POST, which is typically not logged.
The MITRE CVE dictionary describes this issue as:
Find out more about CVE-2017-1000401 from the MITRE CVE dictionary dictionary and NIST NVD.
NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.
CVSS3 Base Score | 2.2 |
---|---|
CVSS3 Base Metrics | CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N |
Attack Vector | Local |
Attack Complexity | High |
Privileges Required | Low |
User Interaction | Required |
Scope | Unchanged |
Confidentiality | Low |
Integrity Impact | None |
Availability Impact | None |
Platform | Package | State |
---|---|---|
Red Hat OpenShift Enterprise 3 | jenkins | Affected |