Jenkins Multiple Unauthorized Access Vulnerabilities

Bugtraq ID:	106680
Class:	Design Error
CVE:	CVE-2019-1003003 CVE-2019-1003004
Remote:	Yes
Local:	No
Published:	Jan 16 2019 12:00AM
Updated:	Jan 16 2019 12:00AM
Credit:	Apple Information Security and Nimrod Stoler from CyberArk Labs.
Vulnerable:	Jenkins Jenkins 2.150.1 Jenkins Jenkins 2.138.1 Jenkins Jenkins 2.159 Jenkins Jenkins 2.158 Jenkins Jenkins 2.157 Jenkins Jenkins 2.156 Jenkins Jenkins 2.155 Jenkins Jenkins 2.154 Jenkins Jenkins 2.153 Jenkins Jenkins 2.146 Jenkins Jenkins 2.145 Jenkins Jenkins 2.144 Jenkins Jenkins 2.143 Jenkins Jenkins 2.142 Jenkins Jenkins 2.141 Jenkins Jenkins 2.140 Jenkins Jenkins 2.138 Jenkins Jenkins 2.137 Jenkins Jenkins 2.136 Jenkins Jenkins 2.135 Jenkins Jenkins 2.134 Jenkins Jenkins 2.133 Jenkins Jenkins 2.132 Jenkins Jenkins 2.131
Not Vulnerable:	Jenkins Jenkins 2.150.2 Jenkins Jenkins 2.160

Jenkins Multiple Unauthorized Access Vulnerabilities

Jenkins is prone to multiple unauthorized-access vulnerabilities.

Successfully exploiting these issues may allow an attacker to gain unauthorized access, obtain sensitive information and perform unauthorized actions; This may lead to other attacks.

The following product versions are vulnerable:

Jenkins weekly 2.159 and prior
Jenkins LTS 2.150.1 and prior

Jenkins Multiple Unauthorized Access Vulnerabilities

Currently, we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

Jenkins Multiple Unauthorized Access Vulnerabilities

Solution:
Updates are available. Please see the references or vendor advisory for more information.