Base Score

HIGH7.5

CVE-2018-1999043

A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in BasicAuthenticationFilter.java, BasicHeaderApiTokenAuthenticator.java that allows attackers to create ephemeral in-memory user records by attempting to log in using invalid credentials.

VectorNETWORK

Published Bycve@mitre.org

Published DateAug 23, 2018, 18:29

Affected Versions(2)

org.jenkins-ci.main:jenkins-core(Maven)

Introduced0

Fixed2.121.3

LimitN/A

org.jenkins-ci.main:jenkins-core(Maven)

Introduced2.122

Fixed2.138

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
org.jenkins-ci.main:jenkins-core(Maven)	0	2.121.3	N/A
org.jenkins-ci.main:jenkins-core(Maven)	2.122	2.138	N/A

Weakness Type (CWE):CWE-772

CVSS Metrics

Base Score

7.5

Vector String

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Base Severity

HIGH

Version

3.0

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

NONE

Integrity (I)

NONE

Availability (A)

HIGH

References

https://jenkins.io/security/advisory/2018-08-15/#SECURITY-672

Base Score

HIGH7.5

Weakness Type (CWE):CWE-772

CVSS Metrics

Base Score

7.5

Vector String

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Base Severity

HIGH

Version

3.0

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

NONE

Integrity (I)

NONE

Availability (A)

HIGH