Vulnerability Description
Users who cached their CLI authentication before Jenkins was updated to 2.150.2 and newer, or 2.160 and newer, would remain authenticated in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, because the fix for CVE-2019-1003004 in these releases did not reject existing remoting-based CLI authentication caches.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Jenkins | Jenkins | <= 2.164.1 |
| Redhat | Openshift Container Platform | 3.11 |
| Oracle | Communications Cloud Native Core Automated Test Suite | 1.9.0 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/107901Broken Link
- https://access.redhat.com/errata/RHBA-2019:1605Third Party Advisory
- https://jenkins.io/security/advisory/2019-04-10/#SECURITY-1289Vendor Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
- http://www.securityfocus.com/bid/107901Broken Link
- https://access.redhat.com/errata/RHBA-2019:1605Third Party Advisory
- https://jenkins.io/security/advisory/2019-04-10/#SECURITY-1289Vendor Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
FAQ
What is CVE-2019-1003049?
CVE-2019-1003049 is a vulnerability with a CVSS score of 8.1 (HIGH). Users who cached their CLI authentication before Jenkins was updated to 2.150.2 and newer, or 2.160 and newer, would remain authenticated in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earli...
How severe is CVE-2019-1003049?
CVE-2019-1003049 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-1003049?
Check the references section above for vendor advisories and patch information. Affected products include: Jenkins Jenkins, Redhat Openshift Container Platform, Oracle Communications Cloud Native Core Automated Test Suite.