CVE-2018-1999001 — Improper Input Validation in Jenkins

CWE-20 — Improper Input Validation8 documents7 sources

Severity

8.8HIGHNVD

EPSS

27.3%

top 3.59%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Oracle Communications Cloud Native Core Automated Test Suite

Timeline

PublishedJul 23

Latest updateMay 13

Description

A unauthorized modification of configuration vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in User.java that allows attackers to provide crafted login credentials that cause Jenkins to move the config.xml file from the Jenkins home directory. If Jenkins is started without this file present, it will revert to the legacy defaults of granting administrator access to anonymous users.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶NVDjenkins/jenkins2.122 — 2.132+1

▶NVDoracle/communications_cloud_native_core_automated_test_suite1.9.0

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

Improper Input Validation in Jenkins↗2022-05-13

▶

OSV

Improper Input Validation in Jenkins↗2022-05-13

▶

CVEList

CVE-2018-1999001: A unauthorized modification of configuration vulnerability exists in Jenkins 2↗2018-07-23

▶

📋Vendor Advisories

Red Hat

jenkins: Remote unauthenticated users can move config.xml allowing administrator access to anonymous users↗2018-07-18

▶

Jenkins

Jenkins Security Advisory 2018-07-18↗2018-07-18

▶

💬Community

Bugzilla

CVE-2018-1999001 jenkins: Remote unauthenticated users can move config.xml allowing administrator access to anonymous users↗2018-07-30

▶

Bugzilla

CVE-2018-1999001 jenkins: Remote unauthenticated users can move config.xml allowing administrator access to anonymous users [fedora-all]↗2018-07-30

▶