cbcvebase.
CVE-2019-1003003
published 2019-01-22

CVE-2019-1003003: An improper authorization vulnerability exists in Jenkins 2.158 and earlier, LTS 2.150.1 and earlier in…

high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
An improper authorization vulnerability exists in Jenkins 2.158 and earlier, LTS 2.150.1 and earlier in core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java that allows attackers with Overall/RunScripts permission to craft Remember Me cookies that would never expire, allowing e.g. to persist access to temporarily compromised user accounts.

Affected

8 ranges
VendorProductVersion rangeFixed in
jenkinsjenkins<= 2.150.1
jenkinsjenkins<= 2.158
jenkinsjenkins_core
jenkinsjenkins_lts
jenkinsjenkins_weekly
jenkinsmonitoring_plugin
jenkins_projectjenkins
redhatopenshift_container_platform