CVE-2012-0785
Description
Hash collision attack vulnerability in Jenkins before 1.447, Jenkins LTS before 1.424.2, and Jenkins Enterprise by CloudBees 1.424.x before 1.424.2.1 and 1.400.x before 1.400.0.11 could allow remote attackers to cause a considerable CPU load, aka "the Hash DoS attack."
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins before 1.447 and certain LTS/Enterprise versions are vulnerable to a hash-collision denial-of-service attack via crafted HTTP parameters, enabling remote CPU exhaustion.
Vulnerability
Overview
CVE-2012-0785 describes a hash collision attack vulnerability in Jenkins (formerly Hudson) that allows remote attackers to cause excessive CPU load, effectively a denial of service [1][2]. The root cause lies in the built-in Winstone servlet container, which Jenkins uses when running from java -jar jenkins.war. By sending a small number of HTTP parameters with specially crafted keys that deliberately produce hash collisions, the attacker forces the parameter-map data structure into worst-case O(n²) insertion performance, consuming large amounts of CPU time [4].
Attack
Vector and Prerequisites
The vulnerability is exploitable remotely without authentication. The attacker only needs network access to the Jenkins instance. The attack does not require valid credentials; the crafted POST or GET request with colliding parameter names triggers the CPU spike on the server. However, the issue only affects users running Jenkins directly via the Winstone container; those deploying Jenkins under other servlet containers (e.g., Tomcat) are not affected at the Jenkins level, though those containers may have their own hash-DoS fixes [4].
Impact
A successful exploitation results in a denial of service: the Jenkins server becomes unresponsive or very slow for legitimate users due to high CPU consumption. The vulnerability does not allow data exfiltration or privilege escalation; its severity is medium because it is easy to exploit with readily available attack code [4].
Mitigation
Fixed versions are: Jenkins mainline 1.447, LTS 1.424.2, Jenkins Enterprise by CloudBees 1.424.2.1 and 1.400.0.11 [2][4]. Users on affected versions should upgrade immediately. No workaround for Winstone-based deployments is mentioned aside from upgrading. The fix typically involves using a hash function with randomization (e.g., adding a per-instance secret to parameter hashing) to prevent predictable collisions.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.main:jenkins-coreMaven | >= 1.425, < 1.447 | 1.447 |
org.jenkins-ci.main:jenkins-coreMaven | < 1.424.2 | 1.424.2 |
Affected products
7<1.447+ 3 more
- (no CPE)range: <1.447
- (no CPE)range: before 1.447
- (no CPE)range: 1.424.x before 1.424.2.1
- (no CPE)range: before 1.424.2
- Range: <1.424.2
- Range: 1.424.x before 1.424.2.1; 1.400.x before 1.400.0.11
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/advisories/GHSA-pchp-c5w8-47gcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2012-0785ghsaADVISORY
- www.openwall.com/lists/oss-security/2012/01/20/8ghsamailing-listx_refsource_MLISTWEB
- access.redhat.com/security/cve/cve-2012-0785ghsax_refsource_MISCWEB
- jenkins.io/security/advisory/2012-01-12ghsaWEB
- jenkins.io/security/advisory/2012-01-12/mitrex_refsource_CONFIRM
- security-tracker.debian.org/tracker/CVE-2012-0785ghsax_refsource_MISCWEB
- www.cloudbees.com/jenkins-security-advisory-2012-01-12ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.