Description
A data modification vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in User.java, IdStrategy.java that allows attackers to submit crafted user names that can cause an improper migration of user record storage formats, potentially preventing the victim from logging into Jenkins.
References (4)
Core 4
Core References
Vendor Advisory x_refsource_confirm
https://jenkins.io/security/advisory/2018-12-05/#SECURITY-1072
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHBA-2019:0024
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/106176
Exploit, Third Party Advisory x_refsource_misc
https://www.tenable.com/security/research/tra-2018-43
Scores
CVSS v3
8.2
EPSS
0.0621
EPSS Percentile
91.0%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Details
CWE
CWE-22
Status
published
Products (4)
jenkins/jenkins
< 2.138.3
jenkins/jenkins
< 2.153
org.jenkins-ci.main/jenkins-core
0 - 2.138.4Maven
redhat/openshift_container_platform
3.11
Published
Dec 10, 2018
Tracked Since
Feb 18, 2026