Vulnerability Report

CVE-2017-1000086

Title: Jenkins Periodic Backup Broken Access Control

Other

Proof Of Concept

No public PoC currently indexed for CVE-2017-1000086.

CWE Category CWE-862

Published Date Oct 05, 2017

Modified Date May 13, 2026

Exploit Status Not Found

Score 8.0 CVSS v3.0

Exploit Probability (EPSS)

0.09%

Vulnerability Summary

CVE-2017-1000086: The Periodic Backup Plugin did not perform any permission checks, allowing any user with Overall/Read access to change its settings, trigger backups, restore backups, download backups, and also delete all previous backups via log rotation. Additionally, the plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks.

Impacted Vendors

jenkins 1

Reference Links

http://www.securityfocus.com/bid/100437 https://jenkins.io/security/advisory/2017-07-10/ http://www.securityfocus.com/bid/100437 https://jenkins.io/security/advisory/2017-07-10/

CVSS v3.0

Source Entity [email protected]

Severity HIGH

8.0

Attack Vector

NETWORK

Complexity

LOW

Privileges

N/A

Interaction

REQUIRED

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

UNCHANGED

RAW VECTOR CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CVSS v2.0

Source Entity [email protected]

Severity MEDIUM

6.0

Access Vector

N/A

Authentication

N/A

RAW VECTOR AV:N/AC:M/Au:S/C:P/I:P/A:P

Associated Attack Patterns (CAPEC)

Total: Patterns