GitHub Advisory DatabaseGHSA-4JHM-5F7G-75FPImproper Limitation of a Pathname to a Restricted Directory in Jenkins
6.4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:P/A:P
8.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
0.006 Low
EPSS
Percentile
78.4%
A data modification vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in User.java, IdStrategy.java that allows attackers to submit crafted user names that can cause an improper migration of user record storage formats, potentially preventing the victim from logging into Jenkins.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| org.jenkins-ci.main:jenkins-core | le | 2.153 | |
| org.jenkins-ci.main:jenkins-core | le | 2.138.3 |
References
www.securityfocus.com/bid/106176
access.redhat.com/errata/RHBA-2019:0024
github.com/advisories/GHSA-4jhm-5f7g-75fp
github.com/jenkinsci/jenkins/commit/4ed66e5838476e575a83c3cd13fffb37eefa2f48
github.com/jenkinsci/jenkins/commit/7bae6dd6ef23af988801d38dc0f8f693bc6283f8
jenkins.io/security/advisory/2018-12-05/#SECURITY-1072
nvd.nist.gov/vuln/detail/CVE-2018-1000863
www.tenable.com/security/research/tra-2018-43
Related
6.4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:P/A:P
8.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
0.006 Low
EPSS
Percentile
78.4%