Improper Authentication in Jenkins

1) Improper Authentication

EUVDB-ID: #VU33179

Risk: High

CVSSv4.0: 7.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2019-1003049

CWE-ID: CWE-287 - Improper Authentication

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Users who cached their CLI authentication before Jenkins was updated to 2.150.2 and newer, or 2.160 and newer, would remain authenticated in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, because the fix for CVE-2019-1003004 in these releases did not reject existing remoting-based CLI authentication caches.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Jenkins: 2.0 - 2.171

CPE2.3

• cpe:2.3:a:jenkins:jenkins:2.0:*:*:*:*:*:*:*
• cpe:2.3:a:jenkins:jenkins:2.1:*:*:*:*:*:*:*
• cpe:2.3:a:jenkins:jenkins:2.2:*:*:*:*:*:*:*

External links

https://www.securityfocus.com/bid/107901
https://access.redhat.com/errata/RHBA-2019:1605
https://jenkins.io/security/advisory/2019-04-10/#SECURITY-1289

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.