CVE-2017-2613 - OpenCVE

jenkins before versions 2.44, 2.32.2 is vulnerable to a user creation CSRF using GET by admins. While this user record was only retained until restart in most cases, administrators' web browsers could be manipulated to create a large number of user records (SECURITY-406).

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:N/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Jenkins	Jenkins

Configuration 1 [-]

OR	cpe:2.3:a:jenkins:jenkins:::::lts:::*
	cpe:2.3:a:jenkins:jenkins::::::::

References

Link	Resource
http://www.securityfocus.com/bid/95967	Third Party Advisory VDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2613	Issue Tracking
https://github.com/jenkinsci/jenkins/commit/b88b20ec473200db35d0a0d29dcf192069106601	Patch
https://jenkins.io/security/advisory/2017-02-01/	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: redhat

Published: 2018-05-15T22:00:00

Updated: 2018-05-16T09:57:01

Reserved: 2016-12-01T00:00:00

Link: CVE-2017-2613

JSON object: View

NVD Information

Status : Modified

Published: 2018-05-15T22:29:00.207

Modified: 2019-10-09T23:26:56.507

Link: CVE-2017-2613

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "jenkins", "vendor": "[UNKNOWN]", "versions": [{"status": "affected", "version": "jenkins 2.44"}, {"status": "affected", "version": "jenkins 2.32.2"}]}], "datePublic": "2017-02-01T00:00:00", "descriptions": [{"lang": "en", "value": "jenkins before versions 2.44, 2.32.2 is vulnerable to a user creation CSRF using GET by admins. While this user record was only retained until restart in most cases, administrators' web browsers could be manipulated to create a large number of user records (SECURITY-406)."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "description": "CWE-770", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2018-05-16T09:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://jenkins.io/security/advisory/2017-02-01/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/jenkinsci/jenkins/commit/b88b20ec473200db35d0a0d29dcf192069106601"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2613"}, {"name": "95967", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/95967"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2017-2613", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "jenkins", "version": {"version_data": [{"version_value": "jenkins 2.44"}, {"version_value": "jenkins 2.32.2"}]}}]}, "vendor_name": "[UNKNOWN]"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "jenkins before versions 2.44, 2.32.2 is vulnerable to a user creation CSRF using GET by admins. While this user record was only retained until restart in most cases, administrators' web browsers could be manipulated to create a large number of user records (SECURITY-406)."}]}, "impact": {"cvss": [[{"vectorString": "5.4/CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L", "version": "3.0"}]]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-770"}]}]}, "references": {"reference_data": [{"name": "https://jenkins.io/security/advisory/2017-02-01/", "refsource": "CONFIRM", "url": "https://jenkins.io/security/advisory/2017-02-01/"}, {"name": "https://github.com/jenkinsci/jenkins/commit/b88b20ec473200db35d0a0d29dcf192069106601", "refsource": "CONFIRM", "url": "https://github.com/jenkinsci/jenkins/commit/b88b20ec473200db35d0a0d29dcf192069106601"}, {"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2613", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2613"}, {"name": "95967", "refsource": "BID", "url": "http://www.securityfocus.com/bid/95967"}]}}}}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2017-2613", "datePublished": "2018-05-15T22:00:00", "dateReserved": "2016-12-01T00:00:00", "dateUpdated": "2018-05-16T09:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*", "matchCriteriaId": "F1F48E96-6C2B-4773-98A4-BFF626A0811F", "versionEndExcluding": "2.32.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:*:*:*", "matchCriteriaId": "D4595374-F7F2-43D5-BB78-37E8377B1E45", "versionEndExcluding": "2.44", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "jenkins before versions 2.44, 2.32.2 is vulnerable to a user creation CSRF using GET by admins. While this user record was only retained until restart in most cases, administrators' web browsers could be manipulated to create a large number of user records (SECURITY-406)."}, {"lang": "es", "value": "Jenkins en versiones anteriores a la 2.44 y 2.32.2 es vulnerable a Cross-Site Request Forgery (CSRF) de creaci\u00f3n de usuarios mediante el uso de GET por parte de los administradores. Aunque este registro de usuarios solo se retiene hasta el reinicio en la mayor\u00eda de casos, los navegadores web de los administradores se podr\u00edan manipular para crear un gran n\u00famero de registros de usuario (SECURITY-406)."}], "id": "CVE-2017-2613", "lastModified": "2019-10-09T23:26:56.507", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.8, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2018-05-15T22:29:00.207", "references": [{"source": "secalert@redhat.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/95967"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2613"}, {"source": "secalert@redhat.com", "tags": ["Patch"], "url": "https://github.com/jenkinsci/jenkins/commit/b88b20ec473200db35d0a0d29dcf192069106601"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://jenkins.io/security/advisory/2017-02-01/"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-770"}], "source": "secalert@redhat.com", "type": "Secondary"}]}