GHSA-742j-jcfr-23w3

Suggest an improvement
Source
https://github.com/advisories/GHSA-742j-jcfr-23w3
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-742j-jcfr-23w3/GHSA-742j-jcfr-23w3.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-742j-jcfr-23w3
Aliases
Published
2022-05-13T01:01:01Z
Modified
2023-11-01T04:49:50.551953Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Insufficient Session Expiration in Jenkins
Details

Users who cached their CLI authentication before Jenkins was updated to 2.150.2 and newer, or 2.160 and newer, would remain authenticated in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, because the fix for CVE-2019-1003004 in these releases did not reject existing remoting-based CLI authentication caches.

References

Affected packages

Maven / org.jenkins-ci.main:jenkins-core

Package

Name
org.jenkins-ci.main:jenkins-core
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.main/jenkins-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.164.2

Database specific

{
    "last_known_affected_version_range": "<= 2.164.1"
}

Maven / org.jenkins-ci.main:jenkins-core

Package

Name
org.jenkins-ci.main:jenkins-core
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.main/jenkins-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.165
Fixed
2.172

Database specific

{
    "last_known_affected_version_range": "<= 2.171"
}