Description
A denial of service vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java that allows attackers without Overall/Read permission to access a specific URL on instances using the built-in Jenkins user database security realm that results in the creation of an ephemeral user record in memory.
Remediation
References
http://www.securityfocus.com/bid/106532
https://jenkins.io/security/advisory/2018-10-10/#SECURITY-1128
Related Vulnerabilities
CVE-2021-23358 Vulnerability in npm package underscore
CVE-2017-16010 Vulnerability in maven package org.webjars.bower:i18next
CVE-2021-4279 Vulnerability in maven package org.webjars.npm:fast-json-patch
CVE-2015-7559 Vulnerability in maven package org.apache.activemq:activemq-core
CVE-2019-13990 Vulnerability in maven package org.quartz-scheduler.internal:quartz-core