A unauthorized modification of configuration vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in User.java that allows attackers to provide crafted login credentials that cause Jenkins to move the config.xml file from the Jenkins home directory. If Jenkins is started without this file present, it will revert to the legacy defaults of granting administrator access to anonymous users.
References
Link | Resource |
---|---|
https://jenkins.io/security/advisory/2018-07-18/#SECURITY-897 | Mitigation Vendor Advisory |
https://www.oracle.com/security-alerts/cpuapr2022.html | Patch Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2018-07-23T19:00:00
Updated: 2022-04-19T23:19:27
Reserved: 2018-07-18T00:00:00
Link: CVE-2018-1999001
JSON object: View
NVD Information
Status : Analyzed
Published: 2018-07-23T19:29:00.237
Modified: 2022-06-13T19:03:00.723
Link: CVE-2018-1999001
JSON object: View
Redhat Information
No data.
CWE