Miggo Logo

CVE-2019-1003004: Improper Authorization in Jenkins Core

7.2

CVSS Score
3.1

Basic Information

EPSS Score
0.81169%
Published
5/13/2022
Updated
1/30/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.main:jenkins-coremaven< 2.1592.159

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability centers on improper session invalidation when users are deleted in external security realms. The patch introduced a per-user seed to invalidate sessions/cookies. The key vulnerable function is the authentication processor for 'Remember me' cookies (RememberMeLoginFilter.attemptAuthentication), which lacked seed validation in pre-patch versions. This allowed attackers to maintain active sessions indefinitely using stale cookies, even after user deletion. The function's role in cookie-based authentication directly aligns with the vulnerability's mechanism described in the advisory.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n improp*r *ut*oriz*tion vuln*r**ility *xists in J*nkins *.*** *n* **rli*r, LTS *.***.* *n* **rli*r in *or*/sr*/m*in/j*v*/*u*son/s**urity/*ut**nti**tionPro**ssin**ilt*r*.j*v* t**t *llows *tt**k*rs to *xt*n* t** *ur*tion o* **tiv* *TTP s*ssions in***

Reasoning

T** vuln*r**ility **nt*rs on improp*r s*ssion inv*li**tion w**n us*rs *r* **l*t** in *xt*rn*l s**urity r**lms. T** p*t** intro*u*** * p*r-us*r s*** to inv*li**t* s*ssions/*ooki*s. T** k*y vuln*r**l* *un*tion is t** *ut**nti**tion pro**ssor *or 'R*m*m