Allele Security Alert
ASA-2019-00008
Identifier(s)
ASA-2019-00008, SECURITY-901, CVE-2019-1003004
Title
Deleting a user in an external security realm did not invalidate their session or ‘Remember me’ cookie
Vendor(s)
CloudBees
Product(s)
Jenkins
Affected version(s)
Jenkins weekly up to and including 2.159
Jenkins LTS up to and including 2.150.1
Fixed version(s)
Jenkins weekly should be updated to version 2.160
Jenkins LTS should be updated to version 2.150.2
Proof of concept
Unknown
Description
When using an external security realm such as LDAP or Active Directory, deleting a user from the security realm does not result in the user losing access to Jenkins.
While deleting the user record from Jenkins did invalidate the ‘Remember me’ cookie, there was no way to invalidate active sessions besides restarting Jenkins or terminating sessions through other means, such as Monitoring Plugin.
Technical details
Unknown
Credits
Nimrod Stoler (CyberArk Labs)
Reference(s)
Jenkins Security Advisory 2019-01-16
https://jenkins.io/security/advisory/2019-01-16/
Jenkins security advisory
https://groups.google.com/forum/#!topic/jenkinsci-advisories/_jaWABHE2sg
Multiple vulnerabilities in Jenkins
https://seclists.org/oss-sec/2019/q1/70
CVE-2019-1003004
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1003004
CVE-2019-1003004
https://nvd.nist.gov/vuln/detail/CVE-2019-1003004
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: January 23, 2019