CVE-2019-1003049 — Insufficient Session Expiration in Jenkins

CWE-613 — Insufficient Session Expiration CWE-287 — Improper Authentication8 documents7 sources

Severity

8.1HIGHNVD

CNA7.2GHSA7.2OSV7.2

EPSS

0.5%

top 35.20%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Jenkins Project Jenkins Oracle Communications Cloud Native Core Automated Test Suite +1 more

Timeline

PublishedApr 10

Latest updateMay 13

Description

Users who cached their CLI authentication before Jenkins was updated to 2.150.2 and newer, or 2.160 and newer, would remain authenticated in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, because the fix for CVE-2019-1003004 in these releases did not reject existing remoting-based CLI authentication caches.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages3 packages

▶NVDjenkins/jenkins2.164.1+1

▶CVEListV5jenkins_project/jenkins2.171 and earlier, LTS 2.164.1 and earlier

▶NVDoracle/communications_cloud_native_core_automated_test_suite1.9.0

Also affects: Openshift Container Platform 3.11

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

OSV

Insufficient Session Expiration in Jenkins↗2022-05-13

▶

GHSA

Insufficient Session Expiration in Jenkins↗2022-05-13

▶

CVEList

CVE-2019-1003049: Users who cached their CLI authentication before Jenkins was updated to 2↗2019-04-10

▶

📋Vendor Advisories

Red Hat

jenkins: Jenkins accepted cached legacy CLI authentication↗2019-04-10

▶

Jenkins

Jenkins Security Advisory 2019-04-10↗2019-04-10

▶

💬Community

Bugzilla

CVE-2019-1003049 jenkins: Jenkins accepted cached legacy CLI authentication↗2019-04-15

▶

Bugzilla

CVE-2019-1003049 jenkins: Jenkins accepted cached legacy CLI authentication [fedora-all]↗2019-04-15

▶