CVE-2018-1000863 — Path Traversal in Jenkins

CWE-22 — Path Traversal CWE-20 — Improper Input Validation8 documents7 sources

Severity

8.2HIGHNVD

EPSS

6.2%

top 9.10%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Redhat Openshift Container Platform

Timeline

PublishedDec 10

Latest updateMay 13

Description

A data modification vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in User.java, IdStrategy.java that allows attackers to submit crafted user names that can cause an improper migration of user record storage formats, potentially preventing the victim from logging into Jenkins.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:HExploitability: 3.9 | Impact: 4.2

Affected Packages1 packages

▶NVDjenkins/jenkins2.138.3+1

Also affects: Openshift Container Platform 3.11

🔴Vulnerability Details

GHSA

Improper Limitation of a Pathname to a Restricted Directory in Jenkins↗2022-05-13

▶

OSV

Improper Limitation of a Pathname to a Restricted Directory in Jenkins↗2022-05-13

▶

CVEList

CVE-2018-1000863: A data modification vulnerability exists in Jenkins 2↗2018-12-10

▶

📋Vendor Advisories

Red Hat

jenkins: forced migration of user records (SECURITY-1072)↗2018-12-05

▶

Jenkins

Jenkins Security Advisory 2018-12-05↗2018-12-05

▶

💬Community

Bugzilla

CVE-2018-1000863 jenkins: forced migration of user records (SECURITY-1072)↗2018-12-06

▶

Bugzilla

CVE-2018-1000863 jenkins: forced migration of user records (SECURITY-1072) [fedora-all]↗2018-12-06

▶