CVE-2018-1999001
Last modified
CVE-2018-1999001 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. A unauthorized modification of configuration vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in User.java that allows attackers to provide crafted login credentials that cause Jenkins to move the config.xml file from the Jenkins home directory. If Jenkins is started without this file present, it will revert to the legacy defaults of granting administrator access to anonymous users.. EPSS estimates a 18.12% chance of exploitation in the next 30 days.
Description
A unauthorized modification of configuration vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in User.java that allows attackers to provide crafted login credentials that cause Jenkins to move the config.xml file from the Jenkins home directory. If Jenkins is started without this file present, it will revert to the legacy defaults of granting administrator access to anonymous users.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Jenkins | Jenkins | <= 2.121.1 |
| Jenkins | Jenkins | >= 2.122, <= 2.132 |
| Oracle | Communications Cloud Native Core Automated Test Suite | 1.9.0 |
References
- https://jenkins.io/security/advisory/2018-07-18/#SECURITY-897Mitigation, Vendor Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
- https://jenkins.io/security/advisory/2018-07-18/#SECURITY-897Mitigation, Vendor Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2018-1999001?
How severe is CVE-2018-1999001?
How do I fix CVE-2018-1999001?
Are you affected by CVE-2018-1999001?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST