CVE-2017-1000503

A race condition during Jenkins 2.81 through 2.94 (inclusive); 2.89.1 startup could result in the wrong order of execution of commands during initialization. This could in rare cases result in failure to initialize the setup wizard on the first startup. This resulted in multiple security-related settings not being set to their usual strict default.

CVSS v3 8.1 HIGH
CVSS v2.0 6.8 MEDIUM

8.1^/10

CVSS v3 : HIGH

Vector : AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability : 2.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://jenkins.io/security/advisory/2017-12-14/	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:jenkins:jenkins::::::::
	cpe:2.3:a:jenkins:jenkins:2.89.1::::lts:::

History

No history.

Information

Published : 2018-01-24 23:29

Updated : 2024-02-28 16:25

NVD link : CVE-2017-1000503

Mitre link : CVE-2017-1000503

CVE.ORG link : CVE-2017-1000503

JSON object : View

Products Affected

jenkins

jenkins

CWE

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

{"id": "CVE-2017-1000503", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.2}]}, "published": "2018-01-24T23:29:00.310", "references": [{"url": "https://jenkins.io/security/advisory/2017-12-14/", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-362"}]}], "descriptions": [{"lang": "en", "value": "A race condition during Jenkins 2.81 through 2.94 (inclusive); 2.89.1 startup could result in the wrong order of execution of commands during initialization. This could in rare cases result in failure to initialize the setup wizard on the first startup. This resulted in multiple security-related settings not being set to their usual strict default."}, {"lang": "es", "value": "Una condici\u00f3n de carrera durante el inicio de Jenkins 2.81 hasta la versi\u00f3n 2.94 (incluida) y la versi\u00f3n 2.89.1 podr\u00eda desembocar en un orden incorrecto de ejecuci\u00f3n de comandos durante el proceso de inicializaci\u00f3n. En contadas ocasiones, esto podr\u00eda resultar en el error a la hora de inicializar el asistente de instalaci\u00f3n durante el primer inicio. Como resultado, m\u00faltiples opciones de seguridad no se establecieron en sus niveles strict por defecto."}], "lastModified": "2018-02-12T16:08:35.207", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6206303A-CB18-4063-A633-A8AE7BB13885", "versionEndIncluding": "2.94", "versionStartIncluding": "2.81"}, {"criteria": "cpe:2.3:a:jenkins:jenkins:2.89.1:*:*:*:lts:*:*:*", "vulnerable": true, "matchCriteriaId": "F14937F4-6BF9-4BDC-B698-6EA53CC6FB26"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}