Red Hat Bugzilla – Bug 1418717
CVE-2017-2606 jenkins: Internal API allowed access to item names that should not be visible (SECURITY-380)
Last modified: 2018-05-08 14:27:17 EDT
The following flaw was found in Jenkins:
The method Jenkins#getItems() included a performance optimization that resulted in all items being returned if the Logged in users can do anything authorization strategy was used, and no access was granted to anonymous users (an option added in Jenkins 2.0). This only affects anonymous users (other users legitimately have access) that were able to get a list of items via an UnprotectedRootAction.
Created jenkins tracking bugs for this issue:
Affects: fedora-all [bug 1418736]