GitHub Advisory DatabaseGHSA-4JHM-5F7G-75FPImproper Limitation of a Pathname to a Restricted Directory in Jenkins
8.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:P/A:P
0.023 Low
EPSS
Percentile
89.7%
A data modification vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in User.java, IdStrategy.java that allows attackers to submit crafted user names that can cause an improper migration of user record storage formats, potentially preventing the victim from logging into Jenkins.
| CPE | Name | Operator | Version |
|---|---|---|---|
| org.jenkins-ci.main:jenkins-core | le | 2.153 | |
| org.jenkins-ci.main:jenkins-core | le | 2.138.3 |
References
www.securityfocus.com/bid/106176
access.redhat.com/errata/RHBA-2019:0024
github.com/advisories/GHSA-4jhm-5f7g-75fp
github.com/jenkinsci/jenkins/commit/4ed66e5838476e575a83c3cd13fffb37eefa2f48
github.com/jenkinsci/jenkins/commit/7bae6dd6ef23af988801d38dc0f8f693bc6283f8
jenkins.io/security/advisory/2018-12-05/#SECURITY-1072
nvd.nist.gov/vuln/detail/CVE-2018-1000863
www.tenable.com/security/research/tra-2018-43
Related
8.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:P/A:P
0.023 Low
EPSS
Percentile
89.7%