CVE-2018-1999001

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2018-1999001

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-1999001.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2018-1999001

Aliases

GHSA-j8qv-mj4r-6fw4

Published

2018-07-23T19:29:00Z

Modified

2024-09-03T02:09:58.757004Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

A unauthorized modification of configuration vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in User.java that allows attackers to provide crafted login credentials that cause Jenkins to move the config.xml file from the Jenkins home directory. If Jenkins is started without this file present, it will revert to the legacy defaults of granting administrator access to anonymous users.

References

Affected packages

Git / github.com/jenkinsci/jenkins

Affected ranges

Type: GIT
Repo: https://github.com/jenkinsci/jenkins
Events: Introduced

261ddc1c9a610bffa61b6e9f559a27c363216f6d

Last affected

85354aad981e4115f8f2d0c9e66b43c31dd22810

Last affected

8a653f84283b1729d0ecd25138d472de83af1b6d

Affected versions

jenkins-2.*

jenkins-2.122

jenkins-2.124

jenkins-2.125

jenkins-2.126

jenkins-2.127

jenkins-2.128

jenkins-2.129

jenkins-2.130

jenkins-2.131

jenkins-2.132