CVE-2017-2654

Published: Aug 6, 2018Modified: Nov 21, 2024

5.3

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

jenkins-email-ext before version 2.57.1 is vulnerable to an Information Exposure. The Email Extension Plugins is able to send emails to a dynamically created list of users based on the changelogs, like authors of SCM changes since the last successful build. This could in some cases result in emails being sent to people who have no user account in Jenkins, and in rare cases even people who were not involved in whatever project was being built, due to some mapping based on the local-part of email addresses.

Affected (1)

Products: Jenkins: Email Extension

1 product

Email Extension

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Jenkins Email Extension	Before 2.57.1

Related CWEs

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References (4)

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2654

Source: secalert@redhat.com

Issue TrackingThird Party Advisory

https://jenkins.io/security/advisory/2017-03-20/

Source: secalert@redhat.com

Vendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2654

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingThird Party Advisory

https://jenkins.io/security/advisory/2017-03-20/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.