https://bugzilla.redhat.com/show_bug.cgi?id=1668345
Bug ID: 1668345
Summary: CVE-2019-1003003 Jenkins: cookie crafted using Jenkins
script console allows unauthorised access to Jenkins
instance
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Whiteboard: impact=moderate,public=20190116,reported=20190116,sour
ce=oss-security,cvss3=6.6/CVSS:3.0/AV:N/AC:H/PR:H/UI:N
/S:U/C:H/I:H/A:H,cwe=CWE-384->CWE-613,fedora-28/jenkin
s=affected
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: msiddiqu(a)redhat.com
CC: java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, msrb(a)redhat.com
Target Milestone: ---
Classification: Other
Users with the Overall/RunScripts permission (typically administrators) were
able to use the Jenkins script console to craft a 'Remember me' cookie that
would never expire. This allowed attackers access to a Jenkins instance while
the corresponding user in the configured security realm exists, for example to
persist access after another successful attack.
--
You are receiving this mail because:
You are on the CC list for the bug.