CVE-2017-2651

jenkins-mailer-plugin before version 1.20 is vulnerable to an information disclosure while using the feature to send emails to a dynamically created list of users based on the changelogs. This could in some cases result in emails being sent to people who have no user account in Jenkins, and in rare cases even people who were not involved in whatever project was being built, due to some mapping based on the local-part of email addresses.
References
Link Resource
http://www.securityfocus.com/bid/96984 Third Party Advisory VDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2651 Issue Tracking Third Party Advisory
https://jenkins.io/security/advisory/2017-03-20/ Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:jenkins:mailer:*:*:*:*:*:jenkins:*:*

History

No history.

Information

Published : 2018-07-27 18:29

Updated : 2024-02-04 20:03


NVD link : CVE-2017-2651

Mitre link : CVE-2017-2651

CVE.ORG link : CVE-2017-2651


JSON object : View

Products Affected

jenkins

  • mailer
CWE
CWE-200

Exposure of Sensitive Information to an Unauthorized Actor