Bug 1501817 (CVE-2017-1000399) - CVE-2017-1000399 jenkins: "Queue Item" remote API disclosed information about inaccessible jobs (SECURITY-618)
Summary: CVE-2017-1000399 jenkins: "Queue Item" remote API disclosed information about...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2017-1000399
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1501971 1558840 1558841
Blocks: 1501826
TreeView+ depends on / blocked
 
Reported: 2017-10-13 09:21 UTC by Adam Mariš
Modified: 2021-02-17 01:23 UTC (History)
13 users (show)

Fixed In Version: jenkins 2.73.2, jenkins 2.83
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-05-20 21:16:45 UTC
Embargoed:


Attachments (Terms of Use)

Description Adam Mariš 2017-10-13 09:21:52 UTC
The remote API at /queue/item/(ID)/api showed information about tasks in the queue (typically builds waiting to start). This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Job/Read permission.

External References:

https://jenkins.io/security/advisory/2017-10-11/

Comment 1 Kurt Seifried 2017-10-13 15:34:16 UTC
Created jenkins tracking bugs for this issue:

Affects: openshift-1 [bug 1501971]

Comment 2 Jason Shepherd 2018-03-21 06:19:51 UTC
Created jenkins tracking bugs for this issue:

Affects: fedora-all [bug 1558840]

Comment 4 Jason Shepherd 2018-04-03 05:12:06 UTC
Openshift is now using Jenkins 2.89.2. Marking Enterprise and Online as not affected.

Comment 5 Product Security DevOps Team 2020-05-20 21:16:45 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2017-1000399


Note You need to log in before you can comment on or make changes to this bug.