CVE-2017-2604 — Improper Authentication in Jenkins

Description

In Jenkins before versions 2.44 and 2.32.2, low privilege users were able to act on administrative monitors due to them not being consistently protected by permission checks (SECURITY-371).

How to fix CVE-2017-2604

To remediate CVE-2017-2604, upgrade the affected package to a fixed version below.

Maven/org.jenkins-ci.main:jenkins-core—upgrade to 2.32.2 or later

Is CVE-2017-2604 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.32.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2017-2604
PATCHgithub.com/jenkinsci/jenkins
WEBbugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2604
WEBgithub.com/jenkinsci/jenkins/commit/6efcf6c2ac39bc5c59ac7251822be8ddf67ceaf8
WEB