CVE-2019-1003003

An improper authorization vulnerability exists in Jenkins 2.158 and earlier, LTS 2.150.1 and earlier in core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java that allows attackers with Overall/RunScripts permission to craft Remember Me cookies that would never expire, allowing e.g. to persist access to temporarily compromised user accounts.

Published: Jan 22, 2019
Updated: Oct 26, 2023
CVE: CVE-2019-1003003
GHSA: GHSA-6rh5-23hx-j452
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.2
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P

CWEs:

CWE-285

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
jenkins / jenkins	-	2.150.1.x
jenkins / jenkins	-	2.158.x
redhat / openshift_container_platform	3.11	3.11.x
org.jenkins-ci.main / jenkins-core	-	2.159

http://www.securityfocus.com/bid/106680
https://access.redhat.com/errata/RHBA-2019:0327
https://jenkins.io/security/advisory/2019-01-16/#SECURITY-868

Vulnerability Database

289,599

CVE-2019-1003003