CVE-2019-10384Cross-Site Request Forgery in Jenkins

CWE-352Cross-Site Request ForgeryCWE-79Cross-site Scripting8 documents7 sources
Severity
8.8HIGHNVD
EPSS
0.2%
top 64.05%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
JenkinsJenkins Project JenkinsOracle Communications Cloud Native Core Automated Test Suite+1 more
Timeline
PublishedAug 28
Latest updateMay 24

Description

Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire and could be used to bypass CSRF protection for the anonymous user.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

NVDjenkins/jenkins2.176.2+1
CVEListV5jenkins_project/jenkins2.191 and earlier, LTS 2.176.2 and earlier

Also affects: Openshift Container Platform 3.11, 4.1

Patches

Patch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

3
GHSA
Cross-Site Request Forgery in Jenkins2022-05-24
OSV
Cross-Site Request Forgery in Jenkins2022-05-24
CVEList
CVE-2019-10384: Jenkins 22019-08-28

📋Vendor Advisories

2
Jenkins
Jenkins Security Advisory 2019-08-282019-08-28
Red Hat
jenkins: CSRF protection tokens for anonymous users did not expire in some circumstances (SECURITY-1491)2019-08-28

💬Community

2
Bugzilla
CVE-2019-10384 jenkins: CSRF protection tokens for anonymous users did not expire in some circumstances (SECURITY-1491)2019-08-30
Bugzilla
CVE-2019-10384 jenkins: CSRF protection tokens for anonymous users did not expire in some circumstances (SECURITY-1491) [fedora-all]2019-08-30
CVE-2019-10384 — Cross-Site Request Forgery in Jenkins | cvebase