Miggo Logo
Miggo Vulnerability Database
CVE-2017-2606

CVE-2017-2606:
Exposure of Sensitive Information to an Unauthorized Actor in Jenkins

4.3

CVSS Score
3.0

Basic Information

CVE ID
CVE-2017-2606
GHSA ID
GHSA-6967-9vvv-4cmm
EPSS Score
0.12988%
CWE
CWE-200
Published
5/13/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.main:jenkins-coremaven<= 2.32.12.32.2
org.jenkins-ci.main:jenkins-coremaven>= 2.34, <= 2.432.44

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The analysis of the patch for CVE-2017-2606 revealed that the getItems() method in Jenkins.java was directly modified to address the vulnerability. This method is responsible for returning a list of items, and the patch removed an optimization that was causing it to return all items without proper permission checks for anonymous users.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins ***or* v*rsions *.** *n* *.**.* is vuln*r**l* to *n in*orm*tion *xposur* in t** int*rn*l *PI t**t *llows ****ss to it*m n*m*s t**t s*oul* not ** visi*l* (S**URITY-***). T*is only *****ts *nonymous us*rs (ot**r us*rs l**itim*t*ly **v* ****ss)

Reasoning

T** *n*lysis o* t** p*t** *or *V*-****-**** r*v**l** t**t t** `**tIt*ms()` m*t*o* in `J*nkins.j*v*` w*s *ir**tly mo*i*i** to ***r*ss t** vuln*r**ility. T*is m*t*o* is r*sponsi*l* *or r*turnin* * list o* it*ms, *n* t** p*t** r*mov** *n optimiz*tion t*