Allele Security Alert
ASA-2019-00007, SECURITY-868, CVE-2019-1003003
Administrators could persist access to Jenkins using crafted ‘Remember me’ cookie
Jenkins weekly up to and including 2.159
Jenkins LTS up to and including 2.150.1
Jenkins weekly should be updated to version 2.160
Jenkins LTS should be updated to version 2.150.2
Proof of concept
Users with the Overall/RunScripts permission (typically administrators) were able to use the Jenkins script console to craft a ‘Remember me’ cookie that would never expire.
This allowed attackers access to a Jenkins instance while the corresponding user in the configured security realm exists, for example to persist access after another successful attack.
Apple Information Security
Jenkins Security Advisory 2019-01-16
Jenkins security advisory
Multiple vulnerabilities in Jenkins
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: January 23, 2019