CVE-2019-1003003 — Session Fixation in Jenkins

CWE-384 — Session Fixation CWE-613 — Insufficient Session Expiration CWE-285 — Improper Authorization9 documents7 sources

Severity

7.2HIGHNVD

EPSS

1.9%

top 16.52%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Jenkins Project Jenkins Redhat Openshift Container Platform

Timeline

PublishedJan 22

Latest updateMay 13

Description

An improper authorization vulnerability exists in Jenkins 2.158 and earlier, LTS 2.150.1 and earlier in core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java that allows attackers with Overall/RunScripts permission to craft Remember Me cookies that would never expire, allowing e.g. to persist access to temporarily compromised user accounts.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages2 packages

▶NVDjenkins/jenkins2.150.1+1

▶CVEListV5jenkins_project/jenkins2.158 and earlier, LTS 2.150.1 and earlier

Also affects: Openshift Container Platform 3.11

🔴Vulnerability Details

OSV

Improper Authorization in Jenkins Core↗2022-05-13

▶

GHSA

Improper Authorization in Jenkins Core↗2022-05-13

▶

CVEList

CVE-2019-1003003: An improper authorization vulnerability exists in Jenkins 2↗2019-01-22

▶

📋Vendor Advisories

Red Hat

jenkins: cookie crafted using Jenkins script console allows unauthorised access to Jenkins instance↗2019-01-16

▶

Jenkins

Jenkins Security Advisory 2019-01-16↗2019-01-16

▶

💬Community

Bugzilla

CVE-2019-1003003 jenkins: cookie crafted using Jenkins script console allows unauthorised access to Jenkins instance [fedora-28]↗2019-01-22

▶

Bugzilla

CVE-2019-1003003 CVE-2019-1003004 jenkins: various flaws [fedora-all]↗2019-01-22

▶

Bugzilla

CVE-2019-1003003 jenkins: cookie crafted using Jenkins script console allows unauthorised access to Jenkins instance↗2019-01-22

▶