CVE-2019-1003003

An improper authorization vulnerability exists in Jenkins 2.158 and earlier, LTS 2.150.1 and earlier in core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java that allows attackers with Overall/RunScripts permission to craft Remember Me cookies that would never expire, allowing e.g. to persist access to temporarily compromised user accounts.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.2 HIGH
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
jenkinsCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 82%
VendorProductVersion
jenkinsjenkins
𝑥
≤ 2.150.1
jenkinsjenkins
𝑥
≤ 2.158
redhatopenshift_container_platform
3.11
𝑥
= Vulnerable software versions
References
http://www.securityfocus.com/bid/106680
https://access.redhat.com/errata/RHBA-2019:0327
https://jenkins.io/security/advisory/2019-01-16/#SECURITY-868
http://www.securityfocus.com/bid/106680
https://access.redhat.com/errata/RHBA-2019:0327
https://jenkins.io/security/advisory/2019-01-16/#SECURITY-868