CVE-2015-1810

medium

Description

The HudsonPrivateSecurityRealm class in Jenkins before 1.600 and LTS before 1.596.1 does not restrict access to reserved names when using the "Jenkins' own user database" setting, which allows remote attackers to gain privileges by creating a reserved name.

References

https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-02-27

https://bugzilla.redhat.com/show_bug.cgi?id=1205627

https://access.redhat.com/errata/RHSA-2016:0070

http://rhn.redhat.com/errata/RHSA-2015-1844.html

Details

Source: Mitre, NVD

Published: 2015-10-16

Updated: 2016-06-15

Risk Information

CVSS v2

Base Score: 4.6

Vector: CVSS2#AV:N/AC:H/Au:S/C:P/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 5

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

Severity: Medium