CVE-2019-1003049

HIGH

Jenkins < 2.164.1 and < 2.171 - Insufficient Session Expiration

Title source: llm

Description

Users who cached their CLI authentication before Jenkins was updated to 2.150.2 and newer, or 2.160 and newer, would remain authenticated in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, because the fix for CVE-2019-1003004 in these releases did not reject existing remoting-based CLI authentication caches.

References (4)

Core 4

Core References

Broken Link vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/107901

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHBA-2019:1605

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpuapr2022.html

Vendor Advisory x_refsource_confirm

https://jenkins.io/security/advisory/2019-04-10/#SECURITY-1289

Scores

CVSS v3 8.1

EPSS 0.0047

EPSS Percentile 64.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-613

Status published

Products (5)

jenkins/jenkins < 2.164.1

jenkins/jenkins < 2.171

oracle/communications_cloud_native_core_automated_test_suite 1.9.0

org.jenkins-ci.main/jenkins-core 0 - 2.164.2Maven

redhat/openshift_container_platform 3.11

Published Apr 10, 2019

Tracked Since Feb 18, 2026