Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qOHF2LW1qNHItNmZ3NM3mdQ
Improper Input Validation in Jenkins
A unauthorized modification of configuration vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in User.java that allows attackers to provide crafted login credentials that cause Jenkins to move the config.xml file from the Jenkins home directory. If Jenkins is started without this file present, it will revert to the legacy defaults of granting administrator access to anonymous users.
Permalink: https://github.com/advisories/GHSA-j8qv-mj4r-6fw4JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qOHF2LW1qNHItNmZ3NM3mdQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: 4 months ago
CVSS Score: 8.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Identifiers: GHSA-j8qv-mj4r-6fw4, CVE-2018-1999001
References:
- https://nvd.nist.gov/vuln/detail/CVE-2018-1999001
- https://jenkins.io/security/advisory/2018-07-18/#SECURITY-897
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://github.com/jenkinsci/jenkins/commit/5f4d014b3b7f89e206c6c8509540ed559f604959
- https://github.com/advisories/GHSA-j8qv-mj4r-6fw4
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.main:jenkins-core
Affected Version Ranges: >= 2.122, < 2.132, < 2.121.2Fixed in: 2.132, 2.121.2