PT-2018-5167 · Cloudbees+1 · Jenkins

Steve Marlowe

Published

2018-01-29

Updated

2022-05-14

CVE-2017-1000356

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.56 and earlier Jenkins version 2.46.1 LTS and earlier

Description The issue exists in the Jenkins user database authentication realm. It allows creating an account if signup is enabled, or creating an account if the victim is an administrator. This could possibly delete the existing default admin user, allowing a wide variety of impacts.

Recommendations For Jenkins versions 2.56 and earlier, update to a version later than 2.56 to resolve the issue. For Jenkins version 2.46.1 LTS and earlier, update to a version later than 2.46.1 LTS to resolve the issue.

Fix

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-352

Related Identifiers

CVE-2017-1000356

GHSA-85WQ-PQHP-HMQ6

Affected Products

Jenkins

PT-2018-5167 · Cloudbees+1 · Jenkins

CVE-2017-1000356

Weakness Enumeration

Related Identifiers

Affected Products

References · 9