CVE-2018-1999001

A unauthorized modification of configuration vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in User.java that allows attackers to provide crafted login credentials that cause Jenkins to move the config.xml file from the Jenkins home directory. If Jenkins is started without this file present, it will revert to the legacy defaults of granting administrator access to anonymous users.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 97%
VendorProductVersion
jenkinsjenkins
𝑥
≤ 2.121.1
jenkinsjenkins
2.122 ≤
𝑥
≤ 2.132
oraclecommunications_cloud_native_core_automated_test_suite
1.9.0
𝑥
= Vulnerable software versions
References
https://jenkins.io/security/advisory/2018-07-18/#SECURITY-897
https://www.oracle.com/security-alerts/cpuapr2022.html
https://jenkins.io/security/advisory/2018-07-18/#SECURITY-897
https://www.oracle.com/security-alerts/cpuapr2022.html