Allele Security Alert
ASA-2019-00008, SECURITY-901, CVE-2019-1003004
Deleting a user in an external security realm did not invalidate their session or ‘Remember me’ cookie
Jenkins weekly up to and including 2.159
Jenkins LTS up to and including 2.150.1
Jenkins weekly should be updated to version 2.160
Jenkins LTS should be updated to version 2.150.2
Proof of concept
When using an external security realm such as LDAP or Active Directory, deleting a user from the security realm does not result in the user losing access to Jenkins.
While deleting the user record from Jenkins did invalidate the ‘Remember me’ cookie, there was no way to invalidate active sessions besides restarting Jenkins or terminating sessions through other means, such as Monitoring Plugin.
Nimrod Stoler (CyberArk Labs)
Jenkins Security Advisory 2019-01-16
Jenkins security advisory
Multiple vulnerabilities in Jenkins
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: January 23, 2019