CVE-2019-1003049 – org.jenkins-ci.main:jenkins-core

Package

Manager: maven
Name: org.jenkins-ci.main:jenkins-core
Vulnerable Version: >=0 <2.164.2 || >=2.165 <2.172

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00601 pctl0.68534

Details

Insufficient Session Expiration in Jenkins Users who cached their CLI authentication before Jenkins was updated to 2.150.2 and newer, or 2.160 and newer, would remain authenticated in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, because the fix for CVE-2019-1003004 in these releases did not reject existing remoting-based CLI authentication caches.

Metadata

Created: 2022-05-13T01:01:01Z
Modified: 2022-06-29T14:08:39Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-742j-jcfr-23w3/GHSA-742j-jcfr-23w3.json
CWE IDs: ["CWE-613"]
Alternative ID: GHSA-742j-jcfr-23w3
Finding: F062
Auto approve: 1