Published: 26/01/2018 Updated: 08/05/2019

CVSS v2 Base Score: 1.2 | Impact Score: 2.9 | Exploitability Score: 1.9

CVSS v3 Base Score: 2.2 | Impact Score: 1.4 | Exploitability Score: 0.8

VMScore: 107

Vector: AV:L/AC:H/Au:N/C:P/I:N/A:N

The Jenkins 2.73.1 and previous versions, 2.83 and previous versions default form control for passwords and other secrets, <f:password/>, supports form validation (e.g. for API keys). The form validation AJAX requests were sent via GET, which could result in secrets being logged to a HTTP access log in non-default configurations of Jenkins, and made available to users with access to these log files. Form validation for <f:password/> is now always sent via POST, which is typically not logged.

Vulnerable Product	Search on Vulmon	Subscribe to Product
jenkins jenkins

The Jenkins 2731 and earlier, 283 and earlier default form control for passwords and other secrets, <f:password/>, supports form validation (eg for API keys) The form validation AJAX requests were sent via GET, which could result in secrets being logged to a HTTP access log in non-default configurations of Jenkins, and made available to ...

CWE-20 https://jenkins.io/security/advisory/2017-10-11/https://nvd.nist.gov https://access.redhat.com/security/cve/cve-2017-1000401

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2017-1000401

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect