Vulnerabilities > CVE-2018-1999001
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
A unauthorized modification of configuration vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in User.java that allows attackers to provide crafted login credentials that cause Jenkins to move the config.xml file from the Jenkins home directory. If Jenkins is started without this file present, it will revert to the legacy defaults of granting administrator access to anonymous users.
Vulnerable Configurations
Nessus
NASL family CGI abuses NASL id JENKINS_2_133.NASL description The version of Jenkins running on the remote web server is prior to 2.133 or is a version of Jenkins LTS prior to 2.121.2. It is, therefore, affected by multiple vulnerabilities. Note that Nessus has not tested for these issues but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 111603 published 2018-08-09 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111603 title Jenkins < 2.121.2 / 2.133 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(111603); script_version("1.5"); script_cvs_date("Date: 2019/11/04"); script_cve_id( "CVE-2018-1999001", "CVE-2018-1999002", "CVE-2018-1999003", "CVE-2018-1999004", "CVE-2018-1999005", "CVE-2018-1999006", "CVE-2018-1999007" ); script_name(english:"Jenkins < 2.121.2 / 2.133 Multiple Vulnerabilities"); script_summary(english:"Checks the Jenkins version."); script_set_attribute(attribute:"synopsis", value: "A job scheduling and management system hosted on the remote web server is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Jenkins running on the remote web server is prior to 2.133 or is a version of Jenkins LTS prior to 2.121.2. It is, therefore, affected by multiple vulnerabilities. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"https://jenkins.io/security/advisory/2018-07-18/"); script_set_attribute(attribute:"solution", value: "Upgrade Jenkins to version 2.133 or later, Jenkins LTS to version 2.121.2 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-1999002"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/07/18"); script_set_attribute(attribute:"patch_publication_date", value:"2018/07/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/08/09"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:cloudbees:jenkins"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("jenkins_detect.nasl"); script_require_keys("www/Jenkins"); script_require_ports("Services/www", 8080); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); port = get_http_port(default:8080); get_kb_item_or_exit("www/Jenkins/"+port+"/Installed"); url = build_url(qs:'/', port:port); version = ''; fix = ''; if (get_kb_item("www/Jenkins/"+port+"/is_LTS") ) { appname = "Jenkins Open Source LTS"; fix = '2.121.2'; } else { appname = "Jenkins Open Source"; fix = '2.133'; } version = get_kb_item("www/Jenkins/" + port + "/JenkinsVersion"); if (version == 'unknown') { audit(AUDIT_UNKNOWN_WEB_APP_VER, appname, url); } if (ver_compare(ver:version, fix:fix, strict:FALSE) < 0) { report = '\n URL : ' + url + '\n Product : ' + appname + '\n Version : ' + version + '\n Fixed version : ' + fix + '\n'; security_report_v4(port:port, severity:SECURITY_WARNING, extra:report, xss:TRUE); } else audit(AUDIT_WEB_APP_NOT_AFFECTED, appname, url, version);NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_20A1881E8A9E11E8BDDFD017C2CA229D.NASL description Jenkins Security Advisory : Description(High) SECURITY-897 / CVE-2018-1999001 Users without Overall/Read permission can have Jenkins reset parts of global configuration on the next restart (High) SECURITY-914 / CVE-2018-1999002 Arbitrary file read vulnerability (Medium) SECURITY-891 / CVE-2018-1999003 Unauthorized users could cancel queued builds (Medium) SECURITY-892 / CVE-2018-1999004 Unauthorized users could initiate and abort agent launches (Medium) SECURITY-944 / CVE-2018-1999005 Stored XSS vulnerability (Medium) SECURITY-925 / CVE-2018-1999006 Unauthorized users are able to determine when a plugin was extracted from its JPI package (Medium) SECURITY-390 / CVE-2018-1999007 XSS vulnerability in Stapler debug mode last seen 2020-06-01 modified 2020-06-02 plugin id 111176 published 2018-07-20 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111176 title FreeBSD : jenkins -- multiple vulnerabilities (20a1881e-8a9e-11e8-bddf-d017c2ca229d)
Seebug
| bulletinFamily | exploit |
| description | CVE-2018-1999001 为配置文件路径改动漏洞。远程且未经授权的攻击者可以通过构造恶意登录凭证,从 Jenkins 主目录下移除 config.xml 配置文件到其他目录,从而导致 Jenkins 服务下次重启时退回 legacy 模式,对匿名用户也会开放管理员权限,如下图所示:  CVE-2018-1999001 漏洞利用的条件是需要等待 Jenkins 服务的重启。 |
| id | SSV:97432 |
| last seen | 2018-07-31 |
| modified | 2018-07-26 |
| published | 2018-07-26 |
| reporter | My Seebug |
| title | Jenkins 配置文件路径改动导致管理员权限开放漏洞(CVE-2018-1999001) |