CVE-2019-1003049

EPSS 0.42%
Published 10.04.2019 21:29:01
Last modified 21.11.2024 04:17:48
Source jenkinsci-cert@googlegroups.co
Teams watchlist Login
Open Login

Users who cached their CLI authentication before Jenkins was updated to 2.150.2 and newer, or 2.160 and newer, would remain authenticated in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, because the fix for CVE-2019-1003004 in these releases did not reject existing remoting-based CLI authentication caches.

Affected products Warnungen 0 Metrics 3 CWE 1 References 7

Data is provided by the National Vulnerability Database (NVD)

Jenkins ≫ Jenkins SwEditionlts Version <= 2.164.1

Jenkins ≫ Jenkins Version <= 2.171

Redhat ≫ Openshift Container Platform Version3.11

Oracle ≫ Communications Cloud Native Core Automated Test Suite Version1.9.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.42%	0.612

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.1	2.2	5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	6.8	8.6	6.4	AV:N/AC:M/Au:N/C:P/I:P/A:P

CWE-613 Insufficient Session Expiration

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

https://www.oracle.com/security-alerts/cpuapr2022.html

Patch

Third Party Advisory

http://www.securityfocus.com/bid/107901

Broken Link

https://access.redhat.com/errata/RHBA-2019:1605

Third Party Advisory

https://jenkins.io/security/advisory/2019-04-10/#SECURITY-1289

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2019-1003049

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-1003049

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-1003049

EUVD