CVE-2018-1000408

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.145 and earlier Jenkins LTS versions 2.138.1 and earlier

Description A denial of service issue exists that allows attackers without Overall/Read permission to access a specific URL on instances using the built-in Jenkins user database security realm, resulting in the creation of an ephemeral user record in memory. The issue is related to the HudsonPrivateSecurityRealm.java file in core/src/main/java/hudson/security/.

Recommendations For Jenkins versions 2.145 and earlier, update to a version later than 2.145 to resolve the issue. For Jenkins LTS versions 2.138.1 and earlier, update to a version later than 2.138.1 to resolve the issue.