{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "0" }, { "last_affected": "0.1-beta\\-1" }, { "introduced": "0" }, { "last_affected": "0.1-beta\\-2" }, { "introduced": "0" }, { "last_affected": "0.1-beta\\-3" }, { "introduced": "0" }, { "last_affected": "0.1-beta\\-4" }, { "introduced": "0" }, { "last_affected": "1.0" }, { "introduced": "0" }, { "last_affected": "1.1" }, { "introduced": "0" }, { "last_affected": "1.2" }, { "introduced": "0" }, { "last_affected": "1.3" }, { "introduced": "0" }, { "last_affected": "1.4" }, { "introduced": "0" }, { "last_affected": "1.4-beta\\-1" }, { "introduced": "0" }, { "last_affected": "1.5" }, { "introduced": "0" }, { "last_affected": "1.6" }, { "introduced": "0" }, { "last_affected": "1.7" }, { "introduced": "0" }, { "last_affected": "1.8" }, { "introduced": "0" }, { "last_affected": "1.8.1" }, { "introduced": "0" }, { "last_affected": "1.9" }, { "introduced": "0" }, { "last_affected": "1.10" }, { "introduced": "0" }, { "last_affected": "2.0.0" }, { "introduced": "0" }, { "last_affected": "2.0.0-beta\\-1" }, { "introduced": "0" }, { "last_affected": "2.0.0-beta\\-2" }, { "introduced": "0" }, { "last_affected": "2.0.1" }, { "introduced": "0" }, { "last_affected": "2.0.1-beta\\-1" }, { "introduced": "0" }, { "last_affected": "2.0.1-beta\\-2" }, { "introduced": "0" }, { "last_affected": "2.0.1-beta\\-3" }, { "introduced": "0" }, { "last_affected": "2.0.1-beta\\-4" }, { "introduced": "0" }, { "last_affected": "2.0.1-beta\\-5" }, { "introduced": "0" }, { "last_affected": "2.0.1-beta\\-6" }, { "introduced": "0" }, { "last_affected": "2.0.2" }, { "introduced": "0" }, { "last_affected": "2.0.3" }, { "introduced": "0" }, { "last_affected": "2.0.4" }, { "introduced": "0" }, { "last_affected": "2.0.4-beta\\-1" }, { "introduced": "0" }, { "last_affected": "2.0.5" }, { "introduced": "0" }, { "last_affected": "2.0.6" }, { "introduced": "0" }, { "last_affected": "2.0.7" }, { "introduced": "0" }, { "last_affected": "2.2.0-alpha\\-1" }, { "introduced": "0" }, { "last_affected": "2.2.0-alpha\\-2" }, { "introduced": "0" }, { "last_affected": "2.2.0-alpha\\-3" }, { "introduced": "0" }, { "last_affected": "2.2.0-alpha\\-4" }, { "introduced": "0" }, { "last_affected": "2.2.0-beta\\-1" } ] }, "events": [ { "introduced": "0" }, { "last_affected": "5e2f4e75243820e6925b74efb783eba652809b66" }, { "introduced": "0" }, { "last_affected": "d0bb6096bf7244d6912d88b910ca2dcea0099ae8" }, { "introduced": "0" }, { "last_affected": "072e81abd274b6c022faf1f2a1d87c8185cdb93c" }, { "introduced": "0" }, { "last_affected": "6fb7a60b3e65737b07448b784a71cfeb992437f5" }, { "introduced": "0" }, { "last_affected": "92963bcfffeeec89b145cadd325d23fc3ea6a1fa" }, { "introduced": "0" }, { "last_affected": "f3bd76c19038b6e786cdf7aa57b3e54289279180" }, { "introduced": "0" }, { "last_affected": "5a99da3c324a9970978a58451d66aad0ff5f1e24" }, { "introduced": "0" }, { "last_affected": "ad7be3c7d89f4c4638fec9e662b3f70649018a20" }, { "introduced": "0" }, { "last_affected": "c4231dddcf26e3fa6aeba3b0848191c41937f0a0" }, { "introduced": "0" }, { "last_affected": "3ed123d8c94e8f1b01c6832b04b16eac6d3ed0d4" }, { "introduced": "0" }, { "last_affected": "c3af301523382497a243dc16f7e66b448429e83f" }, { "introduced": "0" }, { "last_affected": "87509b6efb3da0502bec64beaf23e8419179a81e" }, { "introduced": "0" }, { "last_affected": "ae58b0f58785bf1f86fbf5312573ae04b16eab47" }, { "introduced": "0" }, { "last_affected": "949791b2c99fcfffab1899975350ce0fb1600e26" }, { "introduced": "0" }, { "last_affected": "2621833420aa7e498afb42df642dd1f9390434a4" }, { "introduced": "0" }, { "last_affected": "db2d6a6ab3adbef5ce8519feff94e2b79b1ac0a8" }, { "introduced": "0" }, { "last_affected": "75299704c432348be7f95deca2738550d11dfad8" }, { "introduced": "0" }, { "last_affected": "b3113711a54ba1cbfbfab27c189a0be8acd6e8fe" }, { "introduced": "0" }, { "last_affected": "1d0261d4fcc86c6c51480c5fe0e90fa376661bab" }, { "introduced": "0" }, { "last_affected": "dd8b646e4286c7f437a27eb97bfe7b299d943f69" }, { "introduced": "0" }, { "last_affected": "e588e5fba88164d1f3193758eef816f5449de4d3" }, { "introduced": "0" }, { "last_affected": "fcffe78724a7c173957539598358e4e78482f17b" }, { "introduced": "0" }, { "last_affected": "819a0637e9eb0b36159e687bfc96435e97f06ccb" }, { "introduced": "0" }, { "last_affected": "62996d45d4f370434c26c38b20f99858d6a11cc1" }, { "introduced": "0" }, { "last_affected": "a46d604aafa2ed8cfdaf5aaa733449695ebcd739" }, { "introduced": "0" }, { "last_affected": "a61c9f565dee3cb3a213c9ff651c5c3625979ec2" }, { "introduced": "0" }, { "last_affected": "c7409bcddb4878764a9ac9d0fecee8588c01abdd" }, { "introduced": "0" }, { "last_affected": "d6a2bf41e79fc962b3c20efeb4cada0cdf774f74" }, { "introduced": "0" }, { "last_affected": "bb228e04094e092bccf43de96c7e43641c6524c7" }, { "introduced": "0" }, { "last_affected": "326f9edce3d4482ce1ac0ebe33ec7e94966f5b06" }, { "introduced": "0" }, { "last_affected": "0cbae281e9968e74875ef8dbde5f60d24dce6331" }, { "introduced": "0" }, { "last_affected": "9b0f36cb854110f2ebf0d942490639f118dadb67" }, { "introduced": "0" }, { "last_affected": "714a593d6db583368512be5fd730c3c7461bde6b" }, { "introduced": "0" }, { "last_affected": "853905f34815c9fc3eb13356927b25e787c5f8cd" }, { "introduced": "0" }, { "last_affected": "e8836ee3a088b04936b77351ec5ff6eb33ae18d0" }, { "introduced": "0" }, { "last_affected": "edbee15c66663f95c17f695f86fbeaada5d440ce" }, { "introduced": "0" }, { "last_affected": "1d1c621cf314d29eae3c1a52df887669217a2fef" }, { "introduced": "0" }, { "last_affected": "d8055b462d32a688e0c6b00fa47d11b131f21376" }, { "introduced": "0" }, { "last_affected": "f2d5f8864a1cf62e67195aedd9222f5a806f7237" } ], "repo": "https://github.com/jenkinsci/github-branch-source-plugin", "type": "GIT" } ] } ], "details": "GitHub Branch Source Plugin connects to a user-specified GitHub API URL (e.g. GitHub Enterprise) as part of form validation and completion (e.g. to verify Scan Credentials are correct). This functionality improperly checked permissions, allowing any user with Overall/Read access to Jenkins to connect to any web server and send credentials with a known ID, thereby possibly capturing them. Additionally, this functionality did not require POST requests be used, thereby allowing the above to be performed without direct access to Jenkins via Cross-Site Request Forgery.", "id": "CVE-2017-1000091", "modified": "2026-03-13T21:51:29.764648314Z", "published": "2017-10-05T01:29:03.743Z", "references": [ { "type": "ADVISORY", "url": "https://jenkins.io/security/advisory/2017-07-10/" } ], "severity": [ { "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "type": "CVSS_V3" } ] }