ASA-2019-00007 – Jenkins: Administrators could persist access to Jenkins using crafted ‘Remember me’ cookie


Allele Security Alert

ASA-2019-00007

Identifier(s)

ASA-2019-00007, SECURITY-868, CVE-2019-1003003

Title

Administrators could persist access to Jenkins using crafted ‘Remember me’ cookie

Vendor(s)

CloudBees

Product(s)

Jenkins

Affected version(s)

Jenkins weekly up to and including 2.159
Jenkins LTS up to and including 2.150.1

Fixed version(s)

Jenkins weekly should be updated to version 2.160
Jenkins LTS should be updated to version 2.150.2

Proof of concept

Unknown

Description

Users with the Overall/RunScripts permission (typically administrators) were able to use the Jenkins script console to craft a ‘Remember me’ cookie that would never expire.

This allowed attackers access to a Jenkins instance while the corresponding user in the configured security realm exists, for example to persist access after another successful attack.

Technical details

Unknown

Credits

Apple Information Security

Reference(s)

Jenkins Security Advisory 2019-01-16
https://jenkins.io/security/advisory/2019-01-16/

Jenkins security advisory
https://groups.google.com/forum/#!topic/jenkinsci-advisories/_jaWABHE2sg

Multiple vulnerabilities in Jenkins
https://seclists.org/oss-sec/2019/q1/70

CVE-2019-1003003
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1003003

CVE-2019-1003003
https://nvd.nist.gov/vuln/detail/CVE-2019-1003003

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: January 23, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.