Vulnerability Description
An improper authorization vulnerability exists in Jenkins 2.158 and earlier, LTS 2.150.1 and earlier in core/src/main/java/hudson/security/AuthenticationProcessingFilter2.java that allows attackers to extend the duration of active HTTP sessions indefinitely even though the user account may have been deleted in the mean time.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Jenkins | Jenkins | <= 2.150.1 |
| Redhat | Openshift Container Platform | 3.11 |
References
- http://www.securityfocus.com/bid/106680Broken Link
- https://access.redhat.com/errata/RHBA-2019:0327Third Party Advisory
- https://jenkins.io/security/advisory/2019-01-16/#SECURITY-901Vendor Advisory
- http://www.securityfocus.com/bid/106680Broken Link
- https://access.redhat.com/errata/RHBA-2019:0327Third Party Advisory
- https://jenkins.io/security/advisory/2019-01-16/#SECURITY-901Vendor Advisory
FAQ
What is CVE-2019-1003004?
CVE-2019-1003004 is a vulnerability with a CVSS score of 7.2 (HIGH). An improper authorization vulnerability exists in Jenkins 2.158 and earlier, LTS 2.150.1 and earlier in core/src/main/java/hudson/security/AuthenticationProcessingFilter2.java that allows attackers to...
How severe is CVE-2019-1003004?
CVE-2019-1003004 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-1003004?
Check the references section above for vendor advisories and patch information. Affected products include: Jenkins Jenkins, Redhat Openshift Container Platform.