Description
A data modification vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in User.java, IdStrategy.java that allows attackers to submit crafted user names that can cause an improper migration of user record storage formats, potentially preventing the victim from logging into Jenkins.
Remediation
References
https://jenkins.io/security/advisory/2018-12-05/#SECURITY-1072
https://www.tenable.com/security/research/tra-2018-43
http://www.securityfocus.com/bid/106176
https://access.redhat.com/errata/RHBA-2019:0024
Related Vulnerabilities
CVE-2021-29444 Vulnerability in npm package jose-browser-runtime
CVE-2023-43498 Vulnerability in maven package org.jenkins-ci.main:jenkins-core
CVE-2022-43413 Vulnerability in maven package org.jenkins-ci.plugins:job-import-plugin
CVE-2022-23623 Vulnerability in npm package frourio
CVE-2019-10343 Vulnerability in maven package io.jenkins:configuration-as-code