#VU33179 Improper Authentication in Jenkins - CVE-2019-1003049
Published: April 10, 2019 / Updated: August 3, 2020
Vulnerability identifier: #VU33179
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2019-1003049
CWE-ID: CWE-287
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Jenkins
Jenkins
Software vendor:
Jenkins
Jenkins
Description
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
Users who cached their CLI authentication before Jenkins was updated to 2.150.2 and newer, or 2.160 and newer, would remain authenticated in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, because the fix for CVE-2019-1003004 in these releases did not reject existing remoting-based CLI authentication caches.
Remediation
Install update from vendor's website.