CVE-2019-1003049
Aliases:GHSA-742j-jcfr-23w3
Advisory lineage Upstream: 0 Downstream: 1
Downstream
Modified
Published: 10 Apr 2019, 20:12
Last modified:05 Aug 2024, 03:07
Vulnerability Summary
Overall Risk (default)
medium
33/100 CVSS Score
8.1 HIGH
v3.1 (nvd)
EPSS Score
0.69% LOW
1% probability +0.19%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
10 Apr 2019, 20:12
Published
Vulnerability first disclosed
05 Aug 2024, 03:07
Last Modified
Vulnerability information updated
Description
Users who cached their CLI authentication before Jenkins was updated to 2.150.2 and newer, or 2.160 and newer, would remain authenticated in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, because the fix for CVE-2019-1003004 in these releases did not reject existing remoting-based CLI authentication caches.
CVSS Metrics
- v3.1•HIGH•Score: 8.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
- v2.0•MEDIUM•Score: 6.8AV:N/AC:M/Au:N/C:P/I:P/A:P
EPSS Trends
Current EPSS score: 0.69%• Percentile: 72%
Techniques & Countermeasures
- CWE-613•Insufficient Session Expiration
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Affected Systems
- jenkins project•jenkins
2.171 and earlier, LTS 2.164.1 and earlier
- Unknown•Jenkins
≤ 2.164.1 | ≤ 2.171
- org.jenkins-ci.main•jenkins-core
< 2.164.2 | ≥ 2.165, < 2.172
- oracle•communications_cloud_native_core_automated_test_suite
1.9.0
- redhat•openshift_container_platform
3.11
References (7)
- http://www.securityfocus.com/bid/107901
- https://access.redhat.com/errata/RHBA-2019:1605
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://jenkins.io/security/advisory/2019-04-10/#SECURITY-1289
- https://nvd.nist.gov/vuln/detail/CVE-2019-1003049
- https://github.com/jenkinsci/jenkins/commit/0eeaa087aac192fb39f52928be5a5bbf16627ea6
- https://github.com/jenkinsci/jenkins