Skip to main content

Pipeline CVE-2017-1000089

MEDIUM
Incorrect Default Permissions (CWE-276)
2017-10-05 cve@mitre.org
5.3
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Oct 05, 2017 - 01:29 cve.org
MEDIUM 5.3

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 3 maven packages depend on org.jenkins-ci.plugins:pipeline-build-step (1 direct, 2 indirect)

Ecosystem-wide dependent count for version 2.5.1.

DescriptionCVE.org

Builds in Jenkins are associated with an authentication that controls the permissions that the build has to interact with other elements in Jenkins. The Pipeline: Build Step Plugin did not check the build authentication it was running as and allowed triggering any other project in Jenkins.

AnalysisAI

Builds in Jenkins are associated with an authentication that controls the permissions that the build has to interact with other elements in Jenkins. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Incorrect Default Permissions vulnerability could allow attackers to access resources due to overly permissive default settings.

Technical ContextAI

This vulnerability is classified as Incorrect Default Permissions (CWE-276), which allows attackers to access resources due to overly permissive default settings. Builds in Jenkins are associated with an authentication that controls the permissions that the build has to interact with other elements in Jenkins. The Pipeline: Build Step Plugin did not check the build authentication it was running as and allowed triggering any other project in Jenkins. Affected products include: Jenkins Pipeline\.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Set restrictive default permissions, follow principle of least privilege, review defaults during deployment.

CVE-2019-1003002 HIGH POC
8.8 Jan 22

A sandbox bypass vulnerability exists in Pipeline: Declarative Plugin 1.3.3 and earlier in. Rated high severity (CVSS 8.

CVE-2019-1003001 HIGH POC
8.8 Jan 22

A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.61 and earlier in src/main/java/org/jenkinsci/plugins

CVE-2019-1003030 CRITICAL POC
9.9 Mar 08

A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main/java/org/

CVE-2022-43402 CRITICAL
9.9 Oct 19

A sandbox bypass vulnerability involving various casts performed implicitly by the Groovy language runtime in Jenkins Pi

CVE-2019-1003041 CRITICAL
9.8 Mar 28

A sandbox bypass vulnerability in Jenkins Pipeline: Groovy Plugin 2.64 and earlier allows attackers to invoke arbitrary

CVE-2017-1000096 HIGH
8.8 Oct 05

Arbitrary code execution due to incomplete sandbox protection: Constructors, instance variable initializers, and instanc

CVE-2022-43407 HIGH
8.8 Oct 19

Jenkins Pipeline: Input Step Plugin 451.vf1a_a_4f405289 and earlier does not restrict or sanitize the optionally specifi

CVE-2020-2166 HIGH
8.8 Mar 25

Jenkins Pipeline: AWS Steps Plugin 1.40 and earlier does not configure its YAML parser to prevent the instantiation of a

CVE-2020-2109 HIGH
8.8 Feb 12

Sandbox protection in Jenkins Pipeline: Groovy Plugin 2.78 and earlier can be circumvented through default parameter exp

CVE-2018-1000866 HIGH
8.8 Dec 10

A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.59 and earlier in groovy-sandbox/src/main/java/org/ko

CVE-2026-40938 HIGH
8.5 Apr 21

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. From 1.0.0 to before 1.11.0,

CVE-2022-30945 HIGH
8.5 May 17

Jenkins Pipeline: Groovy Plugin 2689.v434009a_31b_f1 and earlier allows loading any Groovy source files on the classpath

Share

CVE-2017-1000089 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy