CVE-2017-1000390
Description
Jenkins Multijob plugin ≤1.25 allows users with Job/Read to resume builds without proper permission checks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Multijob plugin ≤1.25 allows users with Job/Read to resume builds without proper permission checks.
Vulnerability
Jenkins Multijob plugin version 1.25 and earlier did not check permissions in the Resume Build action [1][2]. This allows any user with Job/Read permission to resume a build, even if they lack the intended Job/Build or other permissions typically required to trigger or resume builds [1].
Exploitation
An attacker needs only Job/Read permission on a Jenkins job using the Multijob plugin [1]. With that access, the attacker can navigate to the Resume Build action and resume a previously failed or aborted build, bypassing any required authentication for the resume operation [1][2].
Impact
An attacker with Job/Read permission can resume builds without authorization, potentially causing unauthorized build execution, resource consumption, or triggering downstream tasks that the attacker should not be able to start [1]. The impact is primarily on availability and integrity of build processes, as an attacker can restart builds that might have been intentionally stopped or that are in a sensitive state [1][2].
Mitigation
Jenkins has fixed this issue by adding permission checks in version 1.26 of the Multijob plugin [1][2]. Users should update to version 1.26 or later. No workarounds are documented; upgrading is the recommended mitigation [1][2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:jenkins-multijob-pluginMaven | < 1.26 | 1.26 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
5- github.com/advisories/GHSA-p9r2-gghq-hc57ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-1000390ghsaADVISORY
- www.securityfocus.com/bid/102824ghsavdb-entryx_refsource_BIDWEB
- jenkins.io/security/advisory/2017-10-23ghsaWEB
- jenkins.io/security/advisory/2017-10-23/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.