#VU16574 Improper input validation in Jenkins
Vulnerability identifier: #VU16574
Vulnerability risk: Low
CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-20
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Jenkins
Server applications /
Application servers
Vendor: Jenkins
Description
The vulnerability allows a remote unauthenticated attacker to cause DoS condition.
The vulnerability exists in the User.java and IdStrategy.java codes of Jenkins due to insufficient validation of user names by the affected software. A remote attacker can attempt to log in to the affected application with a user name that submits malicious input, improperly force the migration of user records, which could result in a DoS condition by preventing other users of the application from logging in.
Mitigation
The vulnerability has been fixed in the versions 2.154, 2.138.4, and 2.150.1.
Vulnerable software versions
Jenkins: 2.19.2 - 2.153
External links
http://jenkins.io/security/advisory/2018-12-05/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
