Jenkins Security Advisory 2012-01-12 Vulnerability in Jenkins Core This vulnerability, known as "the Hash DoS attack", allows an attacker to cause significant CPU load on Jenkins by sending a small amount of data, thus denying service to legitimate users. This vulnerability affects Jenkins versions up to and including 1.446, and LTS releases up to and including 1.424.1. The issue is in the built-in servlet container (named Winstone), affecting users running Jenkins via (including users with all native packages such as Windows, Debian, Solaris, RPM, openSUSE, Gentoo, and Mac packages). Users deploying Jenkins on other servlet containers should consult the security advisories of their servlet container, as the vulnerability affects all of them. Severity The vulnerability is rated as medium. It does not allow attackers to access sensitive information, but it is widely known, and an attack code is easily obtainable. Fix Main line users should upgrade to Jenkins 1.447. LTS users should upgrade to the upcoming 1.424.2.