vulnerability

Jenkins Advisory 2018-07-18: CVE-2018-1999001: Users without Overall/Read permission can have Jenkins reset parts of global configuration on the next restart

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
4	(AV:N/AC:M/Au:N/C:P/I:N/A:N)	Jul 23, 2018	Aug 10, 2018	Sep 19, 2018

Severity

CVSS

(AV:N/AC:M/Au:N/C:P/I:N/A:N)

Published

Jul 23, 2018

Added

Aug 10, 2018

Modified

Sep 19, 2018

Description

A unauthorized modification of configuration vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in User.java that allows attackers to provide crafted login credentials that cause Jenkins to move the config.xml file from the Jenkins home directory. If Jenkins is started without this file present, it will revert to the legacy defaults of granting administrator access to anonymous users.

Solutions

jenkins-lts-upgrade-2_121_2jenkins-upgrade-2_133

References

CVE-2018-199900
https://attackerkb.com/topics/CVE-2018-199900
URL-https://jenkins.io/security/advisory/2018-07-18/

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today