CVE-2012-0785: 
Java vulnerability analysis and mitigation

CVE-2012-0785 is a Hash collision attack vulnerability, also known as 'the Hash DoS attack', discovered in Jenkins software. The vulnerability affects Jenkins before version 1.447, Jenkins LTS before 1.424.2, and Jenkins Enterprise by CloudBees versions 1.424.x before 1.424.2.1 and 1.400.x before 1.400.0.11. The vulnerability was disclosed on January 12, 2012, and primarily affects installations running Jenkins via java -jar jenkins.war, including users of native packages like Windows, Debian, Solaris, RPM, OpenSUSE, Gentoo, and Mac packages (Jenkins Advisory, CloudBees Advisory).

The vulnerability is classified with a CVSS v3.1 Base Score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. It is categorized under CWE-400 (Uncontrolled Resource Consumption). The vulnerability exists in the built-in servlet container named Winstone, affecting installations running Jenkins through the java -jar jenkins.war command (NVD).

The vulnerability enables attackers to cause considerable CPU load on Jenkins servers by sending small amounts of data, resulting in denial of service to legitimate users. While the vulnerability does not allow attackers to gain access to sensitive information, its widespread publicity and easily obtainable attack code make it a significant threat (Jenkins Advisory).

Main line users were advised to upgrade to Jenkins 1.447, while LTS users were recommended to upgrade to version 1.424.2. Users of Jenkins Enterprise by CloudBees 1.424.x were instructed to upgrade to 1.424.2.1, and those using version 1.400.x were advised to upgrade to 1.400.0.11. Users deploying Jenkins to other servlet containers were encouraged to consult their respective container's security advisories for updates (Jenkins Advisory).