CVE-2019-1003019 - OpenCVE

An session fixation vulnerability exists in Jenkins GitHub Authentication Plugin 0.29 and earlier in GithubSecurityRealm.java that allows unauthorized attackers to impersonate another user if they can control the pre-authentication session.

No CVSS v3.1

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Jenkins	Github Oauth

Configuration 1 [-]

cpe:2.3:a:jenkins:github_oauth:*:*:*:*:*:jenkins:*:*

References

Link	Resource
https://jenkins.io/security/advisory/2019-01-28/#SECURITY-797	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: jenkins

Published: 2022-10-03T16:19:42

Updated: 2023-10-24T16:44:52.142Z

Reserved: 2022-10-03T00:00:00

Link: CVE-2019-1003019

JSON object: View

NVD Information

Status : Modified

Published: 2019-02-06T16:29:00.920

Modified: 2023-10-25T18:16:02.280

Link: CVE-2019-1003019

JSON object: View

Redhat Information

No data.

CWE

CWE-384

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:github_oauth:*:*:*:*:*:jenkins:*:*", "matchCriteriaId": "98D93078-72DC-4861-BFC8-D4AFC39D8F68", "versionEndIncluding": "0.29", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An session fixation vulnerability exists in Jenkins GitHub Authentication Plugin 0.29 and earlier in GithubSecurityRealm.java that allows unauthorized attackers to impersonate another user if they can control the pre-authentication session."}, {"lang": "es", "value": "Existe una vulnerabilidad de fijaci\u00f3n de sesi\u00f3n en Jenkins GitHub Authentication Plugin, en versiones 0.29 y posteriores, en GithubSecurityRealm.java que permite que los atacantes no autorizados suplanten otro usuario si pueden controlar la sesi\u00f3n de preautenticaci\u00f3n."}], "id": "CVE-2019-1003019", "lastModified": "2023-10-25T18:16:02.280", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-02-06T16:29:00.920", "references": [{"source": "jenkinsci-cert@googlegroups.com", "tags": ["Vendor Advisory"], "url": "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-797"}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-384"}], "source": "nvd@nist.gov", "type": "Primary"}]}