Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2017-2654

CVE-2017-2654:
Emails were sent to addresses not associated with actual users of Jenkins by Email Extension Plugin

5.3

CVSS Score

Basic Information

CVE ID
CVE-2017-2654
GHSA ID
GHSA-c8qr-vfjf-62q3
EPSS Score
-
CWE
CWE-200
Published
5/13/2022
Updated
1/30/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:email-extmaven< 2.57.12.57.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from email recipient collection logic using SCM changelog data without Jenkins user validation. The Email Extension Plugin's recipient provider implementations (UpstreamComitterRecipientProvider, FailingTestSuspectsRecipientProvider) are primary candidates as they handle dynamic recipient list generation from build/changelog data. These functions would appear in runtime profiles during email list construction when processing SCM changes. The medium confidence reflects inference from vulnerability patterns as no direct patch code was available for analysis.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

j*nkins-*m*il-*xt ***or* v*rsion *.**.* is vuln*r**l* to *n In*orm*tion *xposur*. T** *m*il *xt*nsion Plu*ins is **l* to s*n* *m*ils to * *yn*mi**lly *r**t** list o* us*rs **s** on t** ***n**lo*s, lik* *ut*ors o* S*M ***n**s sin** t** l*st su***ss*ul

Reasoning

T** vuln*r**ility st*ms *rom *m*il r**ipi*nt *oll**tion lo*i* usin* S*M ***n**lo* **t* wit*out J*nkins us*r v*li**tion. T** *m*il *xt*nsion Plu*in's r**ipi*nt provi**r impl*m*nt*tions (Upstr**m*omitt*rR**ipi*ntProvi**r, **ilin*T*stSusp**tsR**ipi*ntPr