{"api_version":"1","generated_at":"2026-05-05T07:51:04+00:00","cve":"CVE-2018-1000863","urls":{"html":"https://cve.report/CVE-2018-1000863","api":"https://cve.report/api/cve/CVE-2018-1000863.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2018-1000863","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2018-1000863"},"summary":{"title":"CVE-2018-1000863","description":"A data modification vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in User.java, IdStrategy.java that allows attackers to submit crafted user names that can cause an improper migration of user record storage formats, potentially preventing the victim from logging into Jenkins.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2018-12-10 14:29:00","updated_at":"2019-10-03 00:03:00"},"problem_types":["CWE-22"],"metrics":[],"references":[{"url":"https://www.tenable.com/security/research/tra-2018-43","name":"https://www.tenable.com/security/research/tra-2018-43","refsource":"MISC","tags":["Exploit","Third Party Advisory"],"title":"[R2] Jenkins Forced Migration of User Records - Research Advisory | Tenable®","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://jenkins.io/security/advisory/2018-12-05/#SECURITY-1072","name":"https://jenkins.io/security/advisory/2018-12-05/#SECURITY-1072","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"Jenkins Security Advisory 2018-12-05","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://access.redhat.com/errata/RHBA-2019:0024","name":"RHBA-2019:0024","refsource":"REDHAT","tags":["Third Party Advisory"],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/106176","name":"106176","refsource":"BID","tags":["Third Party Advisory","VDB Entry"],"title":"Jenkins Multiple Security Vulnerabilities","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2018-1000863","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1000863","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2018","cve_id":"1000863","vulnerable":"1","versionEndIncluding":"2.138.3","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"jenkins","cpe5":"jenkins","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"lts","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"1000863","vulnerable":"1","versionEndIncluding":"2.153","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"jenkins","cpe5":"jenkins","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"-","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"1000863","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"openshift_container_platform","cpe6":"3.11","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"1000863","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"openshift_container_platform","cpe6":"3.11","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","DATE_ASSIGNED":"2018-12-09T22:34:33.130546","ID":"CVE-2018-1000863","REQUESTER":"ml@beckweb.net","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"A data modification vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in User.java, IdStrategy.java that allows attackers to submit crafted user names that can cause an improper migration of user record storage formats, potentially preventing the victim from logging into Jenkins."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"https://jenkins.io/security/advisory/2018-12-05/#SECURITY-1072","refsource":"CONFIRM","url":"https://jenkins.io/security/advisory/2018-12-05/#SECURITY-1072"},{"name":"RHBA-2019:0024","refsource":"REDHAT","url":"https://access.redhat.com/errata/RHBA-2019:0024"},{"name":"106176","refsource":"BID","url":"http://www.securityfocus.com/bid/106176"},{"name":"https://www.tenable.com/security/research/tra-2018-43","refsource":"MISC","url":"https://www.tenable.com/security/research/tra-2018-43"}]}},"nvd":{"publishedDate":"2018-12-10 14:29:00","lastModifiedDate":"2019-10-03 00:03:00","problem_types":["CWE-22"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"HIGH","baseScore":8.2,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":4.2},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:N/I:P/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":6.4},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":4.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*","versionEndIncluding":"2.138.3","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*","versionEndIncluding":"2.153","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2018","CveId":"1000863","Ordinal":"138877","Title":"CVE-2018-1000863","CVE":"CVE-2018-1000863","Year":"2018"},"notes":[{"CveYear":"2018","CveId":"1000863","Ordinal":"1","NoteData":"A data modification vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in User.java, IdStrategy.java that allows attackers to submit crafted user names that can cause an improper migration of user record storage formats, potentially preventing the victim from logging into Jenkins.","Type":"Description","Title":null},{"CveYear":"2018","CveId":"1000863","Ordinal":"2","NoteData":"2018-12-10","Type":"Other","Title":"Published"},{"CveYear":"2018","CveId":"1000863","Ordinal":"3","NoteData":"2019-03-13","Type":"Other","Title":"Modified"}]}}}