The HudsonPrivateSecurityRealm class in Jenkins before 1...
Moderate severity
Unreviewed
Published
May 17, 2022
to the GitHub Advisory Database
•
Updated Jan 28, 2023
Description
Published by the National Vulnerability Database
Oct 16, 2015
Published to the GitHub Advisory Database
May 17, 2022
Last updated
Jan 28, 2023
The HudsonPrivateSecurityRealm class in Jenkins before 1.600 and LTS before 1.596.1 does not restrict access to reserved names when using the "Jenkins' own user database" setting, which allows remote attackers to gain privileges by creating a reserved name.
References