Authentication Bypass

Affecting org.jenkins-ci.main:jenkins-core artifact, versions [,2.164.2) || [,2.172)

Do your applications use this vulnerable package? Test your applications

Overview

org.jenkins-ci.main:jenkins-core is an open source automation server.

Affected versions of this package are vulnerable to Authentication Bypass. Users who cached their CLI authentication before Jenkins was updated to 2.150.2 and newer, or 2.160 and newer, would remain authenticated in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, because the fix for CVE-2019-1003004 in these releases did not reject existing remoting-based CLI authentication caches.

Remediation

Upgrade org.jenkins-ci.main:jenkins-core to version 2.164.2, 2.172 or higher.

References

CVSS Score

6.6
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    High
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Credit
CWE-287
CVE
CVE-2019-1003049
CWE
CWE-287
Snyk ID
SNYK-JAVA-ORGJENKINSCIMAIN-174178
Disclosed
10 Apr, 2019
Published
14 Apr, 2019