CVE-2019-1003003

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.158 and earlier Jenkins LTS versions 2.150.1 and earlier

Description The issue is related to an improper authorization vulnerability in the TokenBasedRememberMeServices2.java component. This vulnerability allows attackers with Overall/RunScripts permission to craft Remember Me cookies that would never expire, potentially leading to unauthorized access to protected information. The exploitation of this vulnerability could enable an attacker to persist access to temporarily compromised user accounts.

Recommendations For Jenkins versions 2.158 and earlier, consider disabling the TokenBasedRememberMeServices2.java component until a patch is available. For Jenkins LTS versions 2.150.1 and earlier, restrict access to the Remember Me functionality to minimize the risk of exploitation. As a temporary workaround, avoid using the Remember Me feature in the affected Jenkins versions until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.