Improper Authentication in Jenkins - CVE-2019-1003049
Published: April 10, 2019 / Updated: August 3, 2020
Vulnerability identifier: #VU33179
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2019-1003049
CWE-ID: CWE-287
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Jenkins
Affected software:
Jenkins
Jenkins
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
Users who cached their CLI authentication before Jenkins was updated to 2.150.2 and newer, or 2.160 and newer, would remain authenticated in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, because the fix for CVE-2019-1003004 in these releases did not reject existing remoting-based CLI authentication caches.
How to mitigate CVE-2019-1003049
Install update from vendor's website.