CVE-2018-1999001

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2018-1999001
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-1999001.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2018-1999001
Aliases
Published
2018-07-23T19:29:00Z
Modified
2024-06-13T07:13:30.728636Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

A unauthorized modification of configuration vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in User.java that allows attackers to provide crafted login credentials that cause Jenkins to move the config.xml file from the Jenkins home directory. If Jenkins is started without this file present, it will revert to the legacy defaults of granting administrator access to anonymous users.

References

Affected packages

Git / github.com/jenkinsci/jenkins

Affected ranges

Type
GIT
Repo
https://github.com/jenkinsci/jenkins
Events

Affected versions

jenkins-2.*

jenkins-2.122
jenkins-2.124
jenkins-2.125
jenkins-2.126
jenkins-2.127
jenkins-2.128
jenkins-2.129
jenkins-2.130
jenkins-2.131
jenkins-2.132