Medium severity6.5NVD Advisory· Published Oct 5, 2017· Updated May 13, 2026

CVE-2017-1000084

Description

Parameterized Trigger Plugin fails to check Item/Build permission: The Parameterized Trigger Plugin did not check the build authentication it was running as and allowed triggering any other project in Jenkins.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.plugins:parameterized-triggerMaven	< 2.35.1	2.35.1

Patches

345d54f8f031

[JENKINS-45471] Not add null values to the list

https://github.com/fbelzunc/parameterized-trigger-pluginFélix Belzunce ArcosJul 12, 2017via ghsa

commit

1 file changed · +6 −2

src/main/java/hudson/plugins/parameterizedtrigger/BuildTriggerConfig.java+6 −2 modified

@@ -387,6 +387,7 @@ public List<Future<AbstractBuild>> perform(AbstractBuild<?, ?> build, Launcher l
 
         try {
 			if (condition.isMet(build.getResult())) {
+                Future future = null;
                 List<Future<AbstractBuild>> futures = new ArrayList<Future<AbstractBuild>>();
 
                 for (List<AbstractBuildParameters> addConfigs : getDynamicBuildParameters(build, listener)) {
@@ -395,8 +396,11 @@ public List<Future<AbstractBuild>> perform(AbstractBuild<?, ?> build, Launcher l
                             build, listener);
                     for (Job project : getJobs(build.getRootBuild().getProject().getParent(), env)) {
                         List<Action> list = getBuildActions(actions, project);
-
-                        futures.add(schedule(build, project, list, listener));
+                        //Future can be null as schedule can return null
+                        future = schedule(build, project, list, listener);
+                        if (future != null) {
+                            futures.add(future);
+                        }
                     }
                 }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-mc22-25r3-2w9wghsaADVISORY
jenkins.io/security/advisory/2017-07-10/nvdVendor Advisory
nvd.nist.gov/vuln/detail/CVE-2017-1000084ghsaADVISORY
github.com/fbelzunc/parameterized-trigger-plugin/commit/345d54f8f031bef68ecb6fd4e7eee0be720162e4ghsaWEB
github.com/jenkinsci/parameterized-trigger-plugin/pull/114ghsaWEB
issues.jenkins.io/browse/JENKINS-45471ghsaWEB
jenkins.io/security/advisory/2017-07-10ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.423
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000