CVE-2018-1999001
Description
A unauthorized modification of configuration vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in User.java that allows attackers to provide crafted login credentials that cause Jenkins to move the config.xml file from the Jenkins home directory. If Jenkins is started without this file present, it will revert to the legacy defaults of granting administrator access to anonymous users.
Risk Information
Base Score
8.8
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score
Exploitation Probability
27.312
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Multiple vulnerabilities affected in Jenkins 2.132 | Windows |
| Multiple vulnerabilities are fixed in Jenkins-Core 2.121.2 | Windows |
| Multiple vulnerabilities are fixed in Jenkins-Core 2.132 | Windows |
| Multiple vulnerabilities affected in Jenkins 2.132 (For Ubuntu) | Linux |
| Multiple vulnerabilities affected in Jenkins 2.132 (For Debian) | Linux |
| Multiple vulnerabilities affected in Jenkins 2.132 (For Centos) | Linux |
| Multiple vulnerabilities affected in Jenkins 2.132 (For RedHat) | Linux |
| Multiple vulnerabilities affected in Jenkins 2.132 (For Suse) | Linux |
| Multiple vulnerabilities are fixed in Jenkins-Core for Linux 2.121.2 | Linux |
| Multiple vulnerabilities are fixed in Jenkins-Core for Linux 2.132 | Linux |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234