CVE-2017-2651
Exposure of Sensitive Information to an Unauthorized Actor in Jenkins-mailer-plugin
3.7
LOW
CVSS 3.1
EPSS 0.03%
Description
jenkins-mailer-plugin before version 1.20 is vulnerable to an information disclosure while using the feature to send emails to a dynamically created list of users based on the changelogs. This could in some cases result in emails being sent to people who have no user account in Jenkins, and in rare cases even people who were not involved in whatever project was being built, due to some mapping based on the local-part of email addresses.
How to fix CVE-2017-2651
To remediate CVE-2017-2651, upgrade the affected package to a fixed version below.
- —upgrade to 1.20 or later
Is CVE-2017-2651 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 1.20
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | LOW3.7 | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |