Description

A denial of service vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java that allows attackers without Overall/Read permission to access a specific URL on instances using the built-in Jenkins user database security realm that results in the creation of an ephemeral user record in memory.

Remediation

References

CVE-2018-1000408

Related Vulnerabilities

WordPress Plugin Orbit Fox by ThemeIsle Multiple Vulnerabilities (2.10.2)

TCExam Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2021-20112)

WordPress Plugin Patreon WordPress Multiple Cross-Site Scripting Vulnerabilities (1.7.1)

WordPress Plugin Simple Ads Manager Denial of Service (2.9.3.114)

Squid CVE-2019-12523 Vulnerability (CVE-2019-12523)

Severity

Medium

Classification

CVE-2018-1000408 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Tags

Missing Update Known Vulnerabilities