CVE-2018-1999001 – org.jenkins-ci.main:jenkins-core

Package

Manager: maven
Name: org.jenkins-ci.main:jenkins-core
Vulnerable Version: >=0 <2.121.2 || >=2.122 <2.132

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.37763 pctl0.971

Details

Improper Input Validation in Jenkins A unauthorized modification of configuration vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in User.java that allows attackers to provide crafted login credentials that cause Jenkins to move the config.xml file from the Jenkins home directory. If Jenkins is started without this file present, it will revert to the legacy defaults of granting administrator access to anonymous users.

Metadata

Created: 2022-05-13T01:01:00Z
Modified: 2022-06-28T23:27:28Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-j8qv-mj4r-6fw4/GHSA-j8qv-mj4r-6fw4.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-j8qv-mj4r-6fw4
Finding: F184
Auto approve: 1