Moderate severityNVD Advisory· Published Oct 17, 2014· Updated May 6, 2026

CVE-2014-2062

Description

Jenkins before 1.551 and LTS before 1.532.2 does not invalidate the API token when a user is deleted, which allows remote authenticated users to retain access via the token.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.main:jenkins-coreMaven	>= 1.533, < 1.551	1.551
org.jenkins-ci.main:jenkins-coreMaven	< 1.532.2	1.532.2

Affected products

Jenkins/Jenkins2 versions
cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:*:*:*range: <=1.550
- cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*range: <=1.532.1

Patches

5548b5220cfd

[FIXED SECURITY-89] When checking an API token, verify that the user actually exists.

https://github.com/jenkinsci/jenkinsJesse GlickFeb 7, 2014via ghsa

commit

1 file changed · +15 −0

core/src/main/java/jenkins/security/ApiTokenFilter.java+15 −0 modified

@@ -2,9 +2,13 @@
 
 import hudson.model.User;
 import hudson.security.ACL;
+import hudson.security.UserMayOrMayNotExistException;
 import hudson.util.Scrambler;
+import jenkins.model.Jenkins;
 import org.acegisecurity.context.SecurityContext;
 import org.acegisecurity.context.SecurityContextHolder;
+import org.acegisecurity.userdetails.UsernameNotFoundException;
+import org.springframework.dao.DataAccessException;
 
 import javax.servlet.Filter;
 import javax.servlet.FilterChain;
@@ -41,6 +45,17 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
             int idx = uidpassword.indexOf(':');
             if (idx >= 0) {
                 String username = uidpassword.substring(0, idx);
+                try {
+                    Jenkins.getInstance().getSecurityRealm().loadUserByUsername(username);
+                } catch (UserMayOrMayNotExistException x) {
+                    // OK, give them the benefit of the doubt.
+                } catch (UsernameNotFoundException x) {
+                    // Not/no longer a user; deny the API token. (But do not leak the information that this happened.)
+                    chain.doFilter(request, response);
+                    return;
+                } catch (DataAccessException x) {
+                    throw new ServletException(x);
+                }
                 String password = uidpassword.substring(idx+1);
 
                 // attempt to authenticate as API token

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/jenkinsci/jenkins/commit/5548b5220cfd496831b5721124189ff18fbb12a3nvdPatchWEB
github.com/advisories/GHSA-vxc6-wvh8-fpxwghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2014-2062ghsaADVISORY
wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-02-14nvdVendor AdvisoryWEB
www.openwall.com/lists/oss-security/2014/02/21/2nvdWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000