CVE-2019-1003004 — Session Fixation in Jenkins

CWE-384 — Session Fixation CWE-613 — Insufficient Session Expiration CWE-285 — Improper Authorization CWE-287 — Improper Authentication11 documents7 sources

Severity

7.2HIGHNVD

EPSS

1.7%

top 17.44%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Jenkins Project Jenkins Redhat Openshift Container Platform

Timeline

PublishedJan 22

Latest updateMay 13

Description

An improper authorization vulnerability exists in Jenkins 2.158 and earlier, LTS 2.150.1 and earlier in core/src/main/java/hudson/security/AuthenticationProcessingFilter2.java that allows attackers to extend the duration of active HTTP sessions indefinitely even though the user account may have been deleted in the mean time.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages2 packages

▶NVDjenkins/jenkins2.150.1+1

▶CVEListV5jenkins_project/jenkins2.158 and earlier, LTS 2.150.1 and earlier, 2.171 and earlier, LTS 2.164.1 and earlier+1

Also affects: Openshift Container Platform 3.11

🔴Vulnerability Details

OSV

Improper Authorization in Jenkins Core↗2022-05-13

▶

GHSA

Improper Authorization in Jenkins Core↗2022-05-13

▶

GHSA

Insufficient Session Expiration in Jenkins↗2022-05-13

▶

CVEList

CVE-2019-1003004: An improper authorization vulnerability exists in Jenkins 2↗2019-01-22

▶

📋Vendor Advisories

Red Hat

jenkins: Jenkins accepted cached legacy CLI authentication↗2019-04-10

▶

Red Hat

jenkins: deleting a user record will does not invalidate existing sessions↗2019-01-16

▶

Jenkins

Jenkins Security Advisory 2019-01-16↗2019-01-16

▶

💬Community

Bugzilla

CVE-2019-1003049 jenkins: Jenkins accepted cached legacy CLI authentication↗2019-04-15

▶

Bugzilla

CVE-2019-1003004 jenkins: deleting a user record will does not invalidate existing sessions↗2019-01-23

▶

Bugzilla

CVE-2019-1003003 CVE-2019-1003004 jenkins: various flaws [fedora-all]↗2019-01-22

▶