CVE-2015-1810 — Improper Authentication in Jenkins

CWE-264 CWE-287 — Improper Authentication CWE-20 — Improper Input Validation7 documents6 sources

Severity

4.6MEDIUMNVD

EPSS

0.4%

top 37.20%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Redhat Openshift

Timeline

PublishedOct 16

Latest updateMay 17

Description

The HudsonPrivateSecurityRealm class in Jenkins before 1.600 and LTS before 1.596.1 does not restrict access to reserved names when using the "Jenkins' own user database" setting, which allows remote attackers to gain privileges by creating a reserved name.

CVSS vector

AV:N/AC:H/C:P/I:P/A:PExploitability: 3.9 | Impact: 6.4

Affected Packages2 packages

▶NVDjenkins/jenkins1.580.3+1

▶NVDredhat/openshift3.1

🔴Vulnerability Details

GHSA

Jenkins does not Restrict Reserved Names Allowing for Privilege Escalation↗2022-05-17

▶

OSV

Jenkins does not Restrict Reserved Names Allowing for Privilege Escalation↗2022-05-17

▶

CVEList

CVE-2015-1810: The HudsonPrivateSecurityRealm class in Jenkins before 1↗2015-10-16

▶

📋Vendor Advisories

Red Hat

jenkins: HudsonPrivateSecurityRealm allows creation of reserved names (SECURITY-166)↗2015-02-27

▶

💬Community

Bugzilla

CVE-2015-1806 CVE-2015-1807 CVE-2015-1813 CVE-2015-1812 CVE-2015-1811 CVE-2015-1810 CVE-2015-1808 CVE-2015-1809 CVE-2015-1814 jenkins: various flaws [fedora-all]↗2015-03-25

▶

Bugzilla

CVE-2015-1810 jenkins: HudsonPrivateSecurityRealm allows creation of reserved names (SECURITY-166)↗2015-03-25

▶