CVE-2017-2598

MEDIUM4.3EPSS 0.06%

Inadequate Encryption Strength in Jenkins

Published: 5/13/2022Modified: 2/20/2024

Description

Jenkins before versions 2.44 and 2.32.2 uses AES ECB block cipher mode without IV for encrypting secrets which makes Jenkins and the stored secrets vulnerable to unnecessary risks (SECURITY-304).

Affected packages (1)

Maven/org.jenkins-ci.main:jenkins-corefrom 0, < 2.32.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-2598
PATCHhttps://github.com/jenkinsci/jenkins
WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2598
WEBhttps://github.com/jenkinsci/jenkins/commit/e6aa166246d1734f4798a9e31f78842f4c85c28b
WEBhttps://jenkins.io/security/advisory/2017-02-01