PT-2018-15186 · Cloudbees+1 · Jenkins

Published

2018-07-23

Updated

2022-06-13

CVE-2018-1999001

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.132 and earlier Jenkins versions 2.121.1 and earlier

Description A vulnerability exists that allows unauthorized modification of configuration, enabling attackers to provide crafted login credentials. This can cause Jenkins to move the config.xml file from the Jenkins home directory. If Jenkins starts without this file, it reverts to legacy defaults, granting administrator access to anonymous users.

Recommendations For Jenkins versions 2.132 and earlier, update to a version later than 2.132 to resolve the issue. For Jenkins versions 2.121.1 and earlier, update to a version later than 2.121.1 to resolve the issue.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

CVE-2018-1999001

GHSA-J8QV-MJ4R-6FW4

Affected Products

Jenkins

PT-2018-15186 · Cloudbees+1 · Jenkins

CVE-2018-1999001

Weakness Enumeration

Related Identifiers

Affected Products

References · 7