https://bugzilla.redhat.com/show_bug.cgi?id=1335416
Bug ID: 1335416 Summary: CVE-2016-3722 jenkins: Malicious users with multiple user accounts can prevent other users from logging in (SECURITY-243) Product: Security Response Component: vulnerability Keywords: Security Severity: low Priority: low Assignee: security-response-team@redhat.com Reporter: anemec@redhat.com CC: abhgupta@redhat.com, bleanhar@redhat.com, ccoleman@redhat.com, dmcphers@redhat.com, java-sig-commits@lists.fedoraproject.org, jialiu@redhat.com, jkeck@redhat.com, joelsmith@redhat.com, jokerman@redhat.com, kseifried@redhat.com, lmeyer@redhat.com, mizdebsk@redhat.com, mmccomas@redhat.com, msrb@redhat.com, tdawson@redhat.com, tiwillia@redhat.com
The following flaw was found in Jenkins:
By changing the freely editable 'full name', malicious users with multiple user accounts could prevent other users from logging in, as 'full name' was resolved before actual user name to determine which account is currently trying to log in.
External References:
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-...