Vulnerability in Jenkins Core
This vulnerability, commonly known as “the Hash DoS attack”, enables an attacker to cause a considerable CPU load on Jenkins just by sending a small data, thereby denying service to legitimate users.
This vulnerability affects Jenkins up to and including 1.446, LTS releases up to and including 1.424.1.
This is a vulnerability in the built-in servlet container (named Winstone), and therefore the only affected users are those who are running Jenkins via
java -jar jenkins.war (which includes users of all the native packages, such as Windows, Debian, Solaris, RPM, OpenSUSE, Gentoo, and Mac packages.)
Those who are deploying Jenkins to other servlet containers are encouraged to consult the security advisories of your servlet container for the updates. Because of the nature of the vulnerability, every servlet container is affected.
We rate this vulnerability as medium. This vulnerability does not allow an attacker to gain access to sensitive information, but it is widely publicized and an attack code is easy to obtain.