CVE-2019-1003049

EPSS 0.42%
Veröffentlicht 10.04.2019 21:29:01
Zuletzt bearbeitet 21.11.2024 04:17:48
Quelle jenkinsci-cert@googlegroups.co
Teams Watchlist Login
Unerledigt Login

Users who cached their CLI authentication before Jenkins was updated to 2.150.2 and newer, or 2.160 and newer, would remain authenticated in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, because the fix for CVE-2019-1003004 in these releases did not reject existing remoting-based CLI authentication caches.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Jenkins ≫ Jenkins SwEditionlts Version <= 2.164.1

Jenkins ≫ Jenkins Version <= 2.171

Redhat ≫ Openshift Container Platform Version3.11

Oracle ≫ Communications Cloud Native Core Automated Test Suite Version1.9.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.42%	0.612

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.1	2.2	5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	6.8	8.6	6.4	AV:N/AC:M/Au:N/C:P/I:P/A:P

CWE-613 Insufficient Session Expiration

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

https://www.oracle.com/security-alerts/cpuapr2022.html

Patch

Third Party Advisory

http://www.securityfocus.com/bid/107901

Broken Link

https://access.redhat.com/errata/RHBA-2019:1605

Third Party Advisory

https://jenkins.io/security/advisory/2019-04-10/#SECURITY-1289

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2019-1003049

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-1003049

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-1003049

EUVD