Description

A improper authentication vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in SecurityRealm.java, TokenBasedRememberMeServices2.java that allows attackers with a valid cookie to remain logged in even if that feature is disabled.

Remediation

References

https://jenkins.io/security/advisory/2018-08-15/#SECURITY-996

Related Vulnerabilities

CVE-2016-5393 Vulnerability in maven package org.apache.hadoop:hadoop-common

CVE-2015-5209 Vulnerability in maven package org.apache.struts:struts2-core

CVE-2017-5646 Vulnerability in maven package org.apache.knox:gateway

CVE-2017-4992 Vulnerability in maven package org.cloudfoundry.identity:cloudfoundry-identity-uaa

CVE-2015-3250 Vulnerability in maven package org.apache.directory.api:api-all

Severity

Medium

Classification

CWE-287 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Tags

Vendor Advisory