vulnerability

Jenkins Advisory 2018-07-18: CVE-2018-1999001: Users without Overall/Read permission can have Jenkins reset parts of global configuration on the next restart

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
4	(AV:N/AC:M/Au:N/C:P/I:N/A:N)	Jul 23, 2018	Aug 10, 2018	Mar 27, 2026

Severity

CVSS

(AV:N/AC:M/Au:N/C:P/I:N/A:N)

Published

Jul 23, 2018

Added

Aug 10, 2018

Modified

Mar 27, 2026

Description

A unauthorized modification of configuration vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in User.java that allows attackers to provide crafted login credentials that cause Jenkins to move the config.xml file from the Jenkins home directory. If Jenkins is started without this file present, it will revert to the legacy defaults of granting administrator access to anonymous users.

Solutions

jenkins-lts-upgrade-2_121_2jenkins-upgrade-2_133

References

CVE-2018-199900
https://attackerkb.com/topics/CVE-2018-199900
EUVD-EUVD-2022-4316
https://euvd.enisa.europa.eu/vulnerability/EUVD-2022-4316
https://jenkins.io/security/advisory/2018-07-18/

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report