CVE-2015-1810

The HudsonPrivateSecurityRealm class in Jenkins before 1.600 and LTS before 1.596.1 does not restrict access to reserved names when using the "Jenkins' own user database" setting, which allows remote attackers to gain privileges by creating a reserved name.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.6 UNKNOWN
NETWORK
HIGH
AV:N/AC:H/Au:S/C:P/I:P/A:P
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
jenkinsjenkins
𝑥
≤ 1.580.3
redhatopenshift
𝑥
≤ 3.1
jenkinsjenkins
𝑥
≤ 1.599
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
jenkins
lucid
dne
precise
ignored
trusty
dne
utopic
dne
vivid
dne
wily
dne
xenial
dne
yakkety
dne
zesty
dne
Common Weakness Enumeration
References
http://rhn.redhat.com/errata/RHSA-2015-1844.html
https://access.redhat.com/errata/RHSA-2016:0070
https://bugzilla.redhat.com/show_bug.cgi?id=1205627
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-02-27
http://rhn.redhat.com/errata/RHSA-2015-1844.html
https://access.redhat.com/errata/RHSA-2016:0070
https://bugzilla.redhat.com/show_bug.cgi?id=1205627
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-02-27