CVE-2017-1000401

The Jenkins 2.73.1 and earlier, 2.83 and earlier default form control for passwords and other secrets, <f:password/>, supports form validation (e.g. for API keys). The form validation AJAX requests were sent via GET, which could result in secrets being logged to a HTTP access log in non-default configurations of Jenkins, and made available to users with access to these log files. Form validation for <f:password/> is now always sent via POST, which is typically not logged.

Published: Jan 26, 2018
Updated: May 9, 2024
CVE: CVE-2017-1000401
GHSA: GHSA-h8c5-c92g-jq6x
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 2.2
AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

CVSS v2:

Severity: Low
Score: 1.2
AV:L/AC:H/Au:N/C:P/I:N/A:N

CWEs:

CWE-20

Affected Software
References

Software	From	Fixed in
jenkins / jenkins	-	2.73.1.x
jenkins / jenkins	-	2.83.x
org.jenkins-ci.main / jenkins-core	-	2.73.2
org.jenkins-ci.main / jenkins-core	2.74	2.84

https://github.com/jenkinsci/jenkins/blob/6d179998e18adfbaa4e443c7e837135bf36c53d7/test/src/test/java/lib/form/PasswordTest.java
https://github.com/jenkinsci/jenkins/commit/09d60462b9edf775f08568601bb3e2cfd8075368
https://jenkins.io/security/advisory/2017-10-11/

Vulnerability Database

289,697

CVE-2017-1000401