A security issue has been found in Jenkins version prior to 2.146. When attempting to authenticate using API token, an ephemeral user record was created to validate the token in case an external security realm was used, and the user record in Jenkins not previously saved, as (legacy) API tokens could exist without a persisted user record. This behavior could be abused to create a large number of ephemeral user records in memory.
A security issue has been found in Jenkins version prior to 2.146. When attempting to authenticate using API token, an ephemeral user record was created to validate the token in case an external security realm was used, and the user record in Jenkins not previously saved, as (legacy) API tokens could exist without a persisted user record. This behavior could be abused to create a large number of ephemeral user records in memory.
https://jenkins.io/security/advisory/2018-10-10/
Vulmon