Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS03NDJqLWpjZnItMjN3M83mkw
Insufficient Session Expiration in Jenkins
Users who cached their CLI authentication before Jenkins was updated to 2.150.2 and newer, or 2.160 and newer, would remain authenticated in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, because the fix for CVE-2019-1003004 in these releases did not reject existing remoting-based CLI authentication caches.
Permalink: https://github.com/advisories/GHSA-742j-jcfr-23w3JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03NDJqLWpjZnItMjN3M83mkw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: about 1 year ago
CVSS Score: 8.1
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-742j-jcfr-23w3, CVE-2019-1003049
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-1003049
- https://access.redhat.com/errata/RHBA-2019:1605
- https://jenkins.io/security/advisory/2019-04-10/#SECURITY-1289
- https://www.oracle.com/security-alerts/cpuapr2022.html
- http://www.securityfocus.com/bid/107901
- https://github.com/jenkinsci/jenkins/commit/0eeaa087aac192fb39f52928be5a5bbf16627ea6
- https://github.com/advisories/GHSA-742j-jcfr-23w3
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.main:jenkins-core
Affected Version Ranges: >= 2.165, <= 2.171, <= 2.164.1Fixed in: 2.172, 2.164.2