vulnerability

Jenkins Advisory 2017-10-11: CVE-2017-1000401: Form validation for password fields was sent via GET

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
1	(AV:L/AC:H/Au:N/C:P/I:N/A:N)	2017-11-20	2017-11-20	2019-01-21

Severity

CVSS

(AV:L/AC:H/Au:N/C:P/I:N/A:N)

Published

2017-11-20

Added

2017-11-20

Modified

2019-01-21

Description

The Jenkins 2.73.1 and earlier, 2.83 and earlier default form control for passwords and other secrets, , supports form validation (e.g. for API keys). The form validation AJAX requests were sent via GET, which could result in secrets being logged to a HTTP access log in non-default configurations of Jenkins, and made available to users with access to these log files. Form validation for is now always sent via POST, which is typically not logged.

Solution(s)

jenkins-lts-upgrade-2_73_2jenkins-upgrade-2_84

References

CVE-2017-100040
https://attackerkb.com/topics/CVE-2017-100040
URL-https://jenkins.io/security/advisory/2017-10-11/

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today