#VU33179 Improper Authentication in Jenkins - CVE-2019-1003049

Cybersecurity Help s.r.o.

Published: 2019-04-10 | Updated: 2020-08-03

Vulnerability identifier: #VU33179

Vulnerability risk: High

CVSSv4.0: 7.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2019-1003049

CWE-ID: CWE-287

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Jenkins
Server applications / Application servers

Vendor: Jenkins

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Users who cached their CLI authentication before Jenkins was updated to 2.150.2 and newer, or 2.160 and newer, would remain authenticated in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, because the fix for CVE-2019-1003004 in these releases did not reject existing remoting-based CLI authentication caches.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Jenkins: 2.0 - 2.171

External links
https://www.securityfocus.com/bid/107901
https://access.redhat.com/errata/RHBA-2019:1605
https://jenkins.io/security/advisory/2019-04-10/#SECURITY-1289

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Improper Authentication in jenkins (Alpine package)

Arch Linux update for jenkins

Improper Authentication in Jenkins