Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2019-1003003

Опубликовано: 16 янв. 2019
Источник: redhat
CVSS3: 6.6
EPSS Низкий

Описание

An improper authorization vulnerability exists in Jenkins 2.158 and earlier, LTS 2.150.1 and earlier in core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java that allows attackers with Overall/RunScripts permission to craft Remember Me cookies that would never expire, allowing e.g. to persist access to temporarily compromised user accounts.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat OpenShift Container Platform 3.10jenkinsWill not fix
Red Hat OpenShift Container Platform 3.2jenkinsOut of support scope
Red Hat OpenShift Container Platform 3.3jenkinsOut of support scope
Red Hat OpenShift Container Platform 3.4jenkinsOut of support scope
Red Hat OpenShift Container Platform 3.5jenkinsOut of support scope
Red Hat OpenShift Container Platform 3.6jenkinsOut of support scope
Red Hat OpenShift Container Platform 3.7jenkinsOut of support scope
Red Hat OpenShift Container Platform 3.9jenkinsWill not fix
Red Hat OpenShift Container Platform 4jenkinsNot affected
Red Hat OpenShift Container Platform 3.11atomic-enterprise-service-catalogFixedRHBA-2019:032620.02.2019

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-384->CWE-613
https://bugzilla.redhat.com/show_bug.cgi?id=1668345jenkins: cookie crafted using Jenkins script console allows unauthorised access to Jenkins instance

EPSS

Процентиль: 83%
0.01946
Низкий

6.6 Medium

CVSS3

Связанные уязвимости

nvd логотип

CVE-2019-1003003

CVSS3: 7.2
nvd
около 7 лет назад

An improper authorization vulnerability exists in Jenkins 2.158 and earlier, LTS 2.150.1 and earlier in core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java that allows attackers with Overall/RunScripts permission to craft Remember Me cookies that would never expire, allowing e.g. to persist access to temporarily compromised user accounts.

debian логотип

CVE-2019-1003003

CVSS3: 7.2
debian
около 7 лет назад

An improper authorization vulnerability exists in Jenkins 2.158 and ea ...

github логотип

GHSA-6rh5-23hx-j452

CVSS3: 7.2
github
больше 3 лет назад

Improper Authorization in Jenkins Core

fstec логотип

BDU:2019-02959

CVSS3: 7.2
fstec
около 7 лет назад

Уязвимость компонента TokenBasedRememberMeServices2.java (core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java) сервера автоматизации Jenkins, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

EPSS

Процентиль: 83%
0.01946
Низкий

6.6 Medium

CVSS3