CVE-2017-1000354: Improper Authentication

January 29, 2018 (updated February 15, 2018)

The login command available in the remoting-based CLI stores the encrypted user name of the successfully authenticated user in a cache file used to authenticate further commands. Users with sufficient permission to create secrets in Jenkins, and download their encrypted values, were able to impersonate any other Jenkins user on the same instance.

References

www.securityfocus.com/bid/98065
jenkins.io/security/advisory/2017-04-26/
nvd.nist.gov/vuln/detail/CVE-2017-1000354

Detect and mitigate CVE-2017-1000354 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →