cbcvebase.
CVE-2018-1999001
published 2018-07-23

CVE-2018-1999001: A unauthorized modification of configuration vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in User.java that allows attackers to…

PriorityP356high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
18.12%
96.8th percentile
A unauthorized modification of configuration vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in User.java that allows attackers to provide crafted login credentials that cause Jenkins to move the config.xml file from the Jenkins home directory. If Jenkins is started without this file present, it will revert to the legacy defaults of granting administrator access to anonymous users.

Affected

7 ranges
VendorProductVersion rangeFixed in
jenkinsfiles_indicating_when_a_plugin
jenkinsjenkins<= 2.121.1
jenkinsjenkins2.122 – 2.132
jenkinsjenkins_core
jenkinsjenkins_lts
jenkinsjenkins_weekly
oraclecommunications_cloud_native_core_automated_test_suite

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.