CVE-2018-1000863

Name: CVE-2018-1000863
Creator: NVD / NIST
Published: 2018-12-10T14:29:01.51+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 6.76%

Last modified Jun 17, 2026

CVE-2018-1000863 is a vulnerability of currently unknown severity. A data modification vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in User.java, IdStrategy.java that allows attackers to submit crafted user names that can cause an improper migration of user record storage formats, potentially preventing the victim from logging into Jenkins.. EPSS estimates a 6.76% chance of exploitation in the next 30 days.

Description

A data modification vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in User.java, IdStrategy.java that allows attackers to submit crafted user names that can cause an improper migration of user record storage formats, potentially preventing the victim from logging into Jenkins.

Metrics

EPSS Probability

6.76%

93.1th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-22

Affected Software

Vendor	Product	Versions
Jenkins	Jenkins	<= 2.138.3
Jenkins	Jenkins	<= 2.153
Redhat	Openshift Container Platform	3.11

References

http://www.securityfocus.com/bid/106176Third Party Advisory, VDB Entry
https://access.redhat.com/errata/RHBA-2019:0024Third Party Advisory
https://jenkins.io/security/advisory/2018-12-05/#SECURITY-1072Vendor Advisory
https://www.tenable.com/security/research/tra-2018-43Exploit, Third Party Advisory
http://www.securityfocus.com/bid/106176Third Party Advisory, VDB Entry
https://access.redhat.com/errata/RHBA-2019:0024Third Party Advisory
https://jenkins.io/security/advisory/2018-12-05/#SECURITY-1072Vendor Advisory
https://www.tenable.com/security/research/tra-2018-43Exploit, Third Party Advisory

Timeline

Published: Dec 10, 2018
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2018-1000863?

How severe is CVE-2018-1000863?

Severity scoring for CVE-2018-1000863 is pending analysis. The EPSS model estimates a 6.76% probability of exploitation in the next 30 days.

How do I fix CVE-2018-1000863?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2018-1000863?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST