CVE-2019-1003004: Improper Authorization in Jenkins Core
7.2
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.81169%
CWE
Published
5/13/2022
Updated
1/30/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.jenkins-ci.main:jenkins-core | maven | < 2.159 | 2.159 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability centers on improper session invalidation when users are deleted in external security realms. The patch introduced a per-user seed to invalidate sessions/cookies. The key vulnerable function is the authentication processor for 'Remember me' cookies (RememberMeLoginFilter.attemptAuthentication
), which lacked seed validation in pre-patch versions. This allowed attackers to maintain active sessions indefinitely using stale cookies, even after user deletion. The function's role in cookie-based authentication directly aligns with the vulnerability's mechanism described in the advisory.