Jenkins does not Restrict Reserved Names Allowing for Privilege Escalation

GHSA-37wm-28rm-56vw · CVE-2015-1810

Published May 17, 2022 · Modified Mar 13, 2025

Description

The HudsonPrivateSecurityRealm class in Jenkins before 1.600 and LTS before 1.596.1 does not restrict access to reserved names when using the "Jenkins' own user database" setting, which allows remote attackers to gain privileges by creating a reserved name.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2015-1810
WEB https://access.redhat.com/errata/RHSA-2016:0070
WEB https://bugzilla.redhat.com/show_bug.cgi?id=1205627
PACKAGE https://github.com/jenkinsci/jenkins
WEB https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-02-27
WEB http://rhn.redhat.com/errata/RHSA-2015-1844.html

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes