A flaw was found in Jenkins. The fix for SECURITY-499 introduced a mechanism that renamed user directories on disk as a user with an unsafe user name (user ID) is loaded. Insufficient input validation allowed attackers to rename such user directories even for users with a safe user name by submitting a crafted user name when attempting to log in, even with an invalid password. Doing so prevented users from logging in successfully afterwards.
References:
https://jenkins.io/security/advisory/2018-12-05/