CVE-2018-1999001

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2018-1999001

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-1999001.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2018-1999001

Aliases

GHSA-j8qv-mj4r-6fw4

Published

2018-07-23T19:29:00.237Z

Modified

2026-03-14T01:39:17.300365Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

A unauthorized modification of configuration vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in User.java that allows attackers to provide crafted login credentials that cause Jenkins to move the config.xml file from the Jenkins home directory. If Jenkins is started without this file present, it will revert to the legacy defaults of granting administrator access to anonymous users.

References

Affected packages

Git / github.com/jenkinsci/jenkins

Affected ranges

Type

GIT

Repo

https://github.com/jenkinsci/jenkins

Events

Introduced

Last affected

8a653f84283b1729d0ecd25138d472de83af1b6d

Introduced

261ddc1c9a610bffa61b6e9f559a27c363216f6d

Last affected

85354aad981e4115f8f2d0c9e66b43c31dd22810

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.121.1"
        },
        {
            "introduced": "2.122"
        },
        {
            "last_affected": "2.132"
        }
    ]
}

Affected versions

jenkins-2.*

jenkins-2.121.1

jenkins-2.122

Database specific

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "1.9.0"
            }
        ]
    }
]

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-1999001.json"