Vulnerability Description
A data modification vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in User.java, IdStrategy.java that allows attackers to submit crafted user names that can cause an improper migration of user record storage formats, potentially preventing the victim from logging into Jenkins.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Jenkins | Jenkins | <= 2.138.3 |
| Redhat | Openshift Container Platform | 3.11 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/106176Third Party AdvisoryVDB Entry
- https://access.redhat.com/errata/RHBA-2019:0024Third Party Advisory
- https://jenkins.io/security/advisory/2018-12-05/#SECURITY-1072Vendor Advisory
- https://www.tenable.com/security/research/tra-2018-43ExploitThird Party Advisory
- http://www.securityfocus.com/bid/106176Third Party AdvisoryVDB Entry
- https://access.redhat.com/errata/RHBA-2019:0024Third Party Advisory
- https://jenkins.io/security/advisory/2018-12-05/#SECURITY-1072Vendor Advisory
- https://www.tenable.com/security/research/tra-2018-43ExploitThird Party Advisory
FAQ
What is CVE-2018-1000863?
CVE-2018-1000863 is a vulnerability with a CVSS score of 8.2 (HIGH). A data modification vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in User.java, IdStrategy.java that allows attackers to submit crafted user names that can cause an improp...
How severe is CVE-2018-1000863?
CVE-2018-1000863 has been rated HIGH with a CVSS base score of 8.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-1000863?
Check the references section above for vendor advisories and patch information. Affected products include: Jenkins Jenkins, Redhat Openshift Container Platform.