CVE-2019-1003004

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.158 and earlier Jenkins LTS versions 2.150.1 and earlier Jenkins (affected versions not specified) in Redhat OpenShift Container Platform

Description The issue is related to an improper authorization vulnerability that allows attackers to extend the duration of active HTTP sessions indefinitely. This could enable a remote attacker to reuse login credentials or session identifiers for authentication, even if the user account has been deleted. The vulnerability is associated with the AuthenticationProcessingFilter2.java file in the core component of Jenkins.

Recommendations For Jenkins versions 2.158 and earlier, update to a version that includes the fix for this issue. For Jenkins LTS versions 2.150.1 and earlier, update to a newer LTS version that includes the fix. For Jenkins in Redhat OpenShift Container Platform, consider restricting access to the AuthenticationProcessingFilter2.java component until a patch is available. As a temporary workaround, consider disabling the reuse of session identifiers to minimize the risk of exploitation.