-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from the autoLogin method in TokenBasedRememberMeServices2.java not checking whether the 'Remember Me' feature was disabled before processing authentication cookies. The patch introduced a guard clause (if (Jenkins.getInstance().isDisableRememberMe())) to skip cookie processing when the feature is disabled. The test case 'rememberMeToken_shouldNotBeRead_ifOptionIsDisabled' explicitly validates this behavior, confirming the function's role in the vulnerability. SecurityRealm.java changes were related to cookie security flags but not the core authentication bypass issue.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.jenkins-ci.main:jenkins-core | maven | < 2.121.3 | 2.121.3 |
| org.jenkins-ci.main:jenkins-core | maven | >= 2.122, < 2.138 | 2.138 |