Bug 1501818 (CVE-2017-1000400) - CVE-2017-1000400 jenkins: "Job" remote API disclosed information about inaccessible upstream/downstream jobs (SECURITY-617)
Summary: CVE-2017-1000400 jenkins: "Job" remote API disclosed information about inacce...
Alias: CVE-2017-1000400
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1558871 1558872 1558873
Blocks: 1501826
TreeView+ depends on / blocked
Reported: 2017-10-13 09:22 UTC by Adam Mariš
Modified: 2021-02-17 01:23 UTC (History)
13 users (show)

Fixed In Version: jenkins 2.73.2, jenkins 2.83
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2020-05-20 21:16:48 UTC

Attachments (Terms of Use)

Description Adam Mariš 2017-10-13 09:22:06 UTC
The remote API at /job/(job-name)/api contained information about upstream and downstream projects. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Job/Read permission.

External References:


Comment 1 Jason Shepherd 2018-03-21 07:55:13 UTC
Created jenkins tracking bugs for this issue:

Affects: fedora-all [bug 1558871]

Comment 3 Jason Shepherd 2018-04-03 04:59:28 UTC
Openshift Enterprise now uses Jenkins 2.89.2. Marking as not affected.

Comment 4 Product Security DevOps Team 2020-05-20 21:16:48 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Note You need to log in before you can comment on or make changes to this bug.