https://bugzilla.redhat.com/show_bug.cgi?id=1418717 Bug ID: 1418717 Summary: CVE-2017-2606 jenkins: Internal API allowed access to item names that should not be visible (SECURITY-380) Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: anemec(a)redhat.com CC: abhgupta(a)redhat.com, bleanhar(a)redhat.com, ccoleman(a)redhat.com, dedgar(a)redhat.com, dmcphers(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jgoulding(a)redhat.com, jkeck(a)redhat.com, joelsmith(a)redhat.com, kseifried(a)redhat.com, mizdebsk(a)redhat.com, msrb(a)redhat.com, tdawson(a)redhat.com, tiwillia(a)redhat.com The following flaw was found in Jenkins: The method Jenkins#getItems() included a performance optimization that resulted in all items being returned if the Logged in users can do anything authorization strategy was used, and no access was granted to anonymous users (an option added in Jenkins 2.0). This only affects anonymous users (other users legitimately have access) that were able to get a list of items via an UnprotectedRootAction. External References: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+20... Upstream patch: https://github.com/jenkinsci/jenkins/commit/09cfbc9cd5c9df7c763bc976b7f5c... -- You are receiving this mail because: You are on the CC list for the bug.