CVE-2019-1003049

Users who cached their CLI authentication before Jenkins was updated to 2.150.2 and newer, or 2.160 and newer, would remain authenticated in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, because the fix for CVE-2019-1003004 in these releases did not reject existing remoting-based CLI authentication caches.

Published: Apr 10, 2019
Updated: Oct 26, 2023
CVE: CVE-2019-1003049
GHSA: GHSA-742j-jcfr-23w3
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.1
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P

CWEs:

CWE-613

OWASP TOP 10:

A2 - Broken Authentication

Affected Software
References

Software	From	Fixed in
jenkins / jenkins	-	2.164.1.x
jenkins / jenkins	-	2.171.x
redhat / openshift_container_platform	3.11	3.11.x
oracle / communications_cloud_native_core_automated_test_suite	1.9.0	1.9.0.x
org.jenkins-ci.main / jenkins-core	-	2.164.2
org.jenkins-ci.main / jenkins-core	2.165	2.172

http://www.securityfocus.com/bid/107901
https://access.redhat.com/errata/RHBA-2019:1605
https://github.com/jenkinsci/jenkins/commit/0eeaa087aac192fb39f52928be5a5bbf16627ea6
https://jenkins.io/security/advisory/2019-04-10/#SECURITY-1289
https://www.oracle.com/security-alerts/cpuapr2022.html

Vulnerability Database

289,697

CVE-2019-1003049