CVE-2017-2598

Published: May 23, 2018Modified: Nov 21, 2024

4.3

Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Exploitability: 2.8 / Impact: 1.4

Source: NVD

Description

Jenkins before versions 2.44, 2.32.2 uses AES ECB block cipher mode without IV for encrypting secrets which makes Jenkins and the stored secrets vulnerable to unnecessary risks (SECURITY-304).

Affected (2)

Products: Jenkins: Jenkins

Jenkins

1 product

Jenkins

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Jenkins Jenkins	Before 2.44

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Jenkins Jenkins	Before 2.32.2

Related CWEs

CWE-325

Missing Cryptographic Step

The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm.

CWE-326

Inadequate Encryption Strength

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

References (8)

http://www.securityfocus.com/bid/95948

Source: secalert@redhat.com

Third Party AdvisoryVDB Entry

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2598

Source: secalert@redhat.com

Issue Tracking

https://github.com/jenkinsci/jenkins/commit/e6aa166246d1734f4798a9e31f78842f4c85c28b

Source: secalert@redhat.com

Patch

https://jenkins.io/security/advisory/2017-02-01/

Source: secalert@redhat.com

Vendor Advisory

http://www.securityfocus.com/bid/95948

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2598

Source: af854a3a-2127-422b-91ae-364da2661108

Issue Tracking

https://github.com/jenkinsci/jenkins/commit/e6aa166246d1734f4798a9e31f78842f4c85c28b

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://jenkins.io/security/advisory/2017-02-01/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.