CVE-2017-1000354: Improper Authentication
(updated )
The login
command available in the remoting-based CLI stores the encrypted user name of the successfully authenticated user in a cache file used to authenticate further commands. Users with sufficient permission to create secrets in Jenkins, and download their encrypted values, were able to impersonate any other Jenkins user on the same instance.
References
Detect and mitigate CVE-2017-1000354 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →