https://bugzilla.redhat.com/show_bug.cgi?id=1699701
Bug ID: 1699701 Summary: CVE-2019-1003049 jenkins: Jenkins accepted cached legacy CLI authentication Product: Security Response Hardware: All OS: Linux Status: NEW Whiteboard: impact=moderate,public=20190410,reported=20190412,sour ce=oss-security,cvss3=5.0/CVSS:3.0/AV:N/AC:H/PR:L/UI:N /S:U/C:L/I:L/A:L,cwe=CWE-592,openshift-enterprise-3.4/ jenkins=new,openshift-enterprise-3.5/jenkins=new,opens hift-enterprise-3.6/jenkins=new,openshift-enterprise-3 .7/jenkins=new,openshift-enterprise-3.9/jenkins=new,op enshift-enterprise-3.10/jenkins=new,openshift-enterpri se-3.11/jenkins=new,openshift-enterprise-4.1/jenkins=n ew,fedora-all/jenkins=affected Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: sfowler@redhat.com CC: adam.kaplan@redhat.com, ahardin@redhat.com, aos-bugs@redhat.com, bleanhar@redhat.com, ccoleman@redhat.com, dedgar@redhat.com, eparis@redhat.com, java-sig-commits@lists.fedoraproject.org, jgoulding@redhat.com, jokerman@redhat.com, mchappel@redhat.com, mizdebsk@redhat.com, mmccomas@redhat.com, msrb@redhat.com, obulatov@redhat.com, wzheng@redhat.com Blocks: 1699336 Target Milestone: --- Classification: Other
The fix for SECURITY-901/CVE-2019-1003004 in Jenkins 2.150.2 and 2.160 did not reject existing remoting-based CLI authentication caches.
This means that users who cached their CLI authentication before Jenkins was updated to 2.150.2 and newer, or 2.160 and newer, would remain authenticated.
Support for the remoting-based CLI was dropped in Jenkins 2.165, so newer weekly releases are not affected. Jenkins 2.164.2 no longer supports legacy CLI authentication caches from before 2.150.2/2.160, and these users will be considered logged out.
External References:
https://jenkins.io/security/advisory/2019-04-10/#SECURITY-1289