CVE-2017-2654

LOW

Jenkins Email Extension < 2.57.1 - Information Exposure via Dynamic Recipient List

Title source: llm

Description

jenkins-email-ext before version 2.57.1 is vulnerable to an Information Exposure. The Email Extension Plugins is able to send emails to a dynamically created list of users based on the changelogs, like authors of SCM changes since the last successful build. This could in some cases result in emails being sent to people who have no user account in Jenkins, and in rare cases even people who were not involved in whatever project was being built, due to some mapping based on the local-part of email addresses.

References (2)

Core 2

Core References

Issue Tracking, Third Party Advisory x_refsource_confirm

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2654

Vendor Advisory x_refsource_confirm

https://jenkins.io/security/advisory/2017-03-20/

Scores

CVSS v3 3.7

EPSS 0.0003

EPSS Percentile 8.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE

CWE-200

Status published

Products (2)

jenkins/email_extension < 2.57.1

org.jenkins-ci.plugins/email-ext 0 - 2.57.1Maven

Published Aug 06, 2018

Tracked Since Feb 18, 2026