2018-02-15 20:35
2018-02-01 19:03
2018-01-29 20:35
2017-05-10 23:55
2017-04-28 13:03


Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to a login command which allowed impersonating any Jenkins user. The `login` command available in the remoting-based CLI stored the encrypted user name of the successfully authenticated user in a cache file used to authenticate further commands. Users with sufficient permission to create secrets in Jenkins, and download their encrypted values (e.g. with Job/Configure permission), were able to impersonate any other Jenkins user on the same instance.

Am I vulnerable?

The constraints below list the versions that this vulnerability is patched in, and versions that are unaffected. If a patch is ready but unrealeased, then it is pending.

Or, you can just let us figure it out for you! Appcanary continously monitor your installed packages, and tell you if any of them are vulnerable.

Sign up for monitoring

Affected package information



Release Package Reason
precise jenkins ignored
precise/esm jenkins DNE
trusty jenkins DNE
vivid/stable-phone-overlay jenkins DNE
vivid/ubuntu-core jenkins DNE
xenial jenkins DNE
yakkety jenkins DNE
zesty jenkins DNE
devel jenkins DNE

Needs Triage

Release Package Reason
upstream jenkins needs-triage