Miggo Logo
Miggo Vulnerability Database
CVE-2017-2598

CVE-2017-2598:
Inadequate Encryption Strength in Jenkins

4.3

CVSS Score
3.0

Basic Information

CVE ID
CVE-2017-2598
GHSA ID
GHSA-r9q2-3r6x-qmgp
EPSS Score
0.05416%
CWE
CWE-326
Published
5/13/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.main:jenkins-coremaven<= 2.32.12.32.2
org.jenkins-ci.main:jenkins-coremaven>= 2.34, <= 2.432.44

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The analysis focused on functions directly related to the encryption and decryption of secrets in Jenkins. The patches indicate a shift from using AES ECB without an IV to AES-128 CBC with a random IV, addressing the vulnerability. The identified functions are directly involved in this change.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins ***or* v*rsions *.** *n* *.**.* us*s **S *** *lo*k *ip**r mo** wit*out IV *or *n*ryptin* s**r*ts w*i** m*k*s J*nkins *n* t** stor** s**r*ts vuln*r**l* to unn***ss*ry risks (S**URITY-***).

Reasoning

T** *n*lysis *o*us** on *un*tions *ir**tly r*l*t** to t** *n*ryption *n* ***ryption o* s**r*ts in J*nkins. T** p*t***s in*i**t* * s*i*t *rom usin* `**S` `***` wit*out *n `IV` to `**S-***` `***` wit* * r*n*om `IV`, ***r*ssin* t** vuln*r**ility. T** i*