SB2019011608 - Security restrictions bypass in Jenkins

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2019011608

SB2019011608 - Security restrictions bypass in Jenkins

Published: January 16, 2019

Security Bulletin ID SB2019011608
Severity
Low
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Security restrictions bypass (CVE-ID: CVE-2019-1003003)

The vulnerability allows a remote high-privileged attacker to bypass security restrictions.

The vulnerability exists due to improper validation of the remember me cookie. A remote attacker with the Overall/RunScripts permission can use the Jenkins script console to craft a 'Remember me' cookie that would never expire, gain access to a Jenkins instance while the corresponding user in the configured security realm exists, for example to persist access after another successful attack.



2) Security restrictions bypass (CVE-ID: CVE-2019-1003004)

The vulnerability allows a remote high-privileged attacker to bypass security restrictions.

The vulnerability exists due to the failure to invalidate active sessions when deleting the user record using an external security realm. A remote attacker can bypass access restrictions and remain access to the system.


Remediation

Install update from vendor's website.

References