CVE-2019-10353

Published: Jul 17, 2019Modified: Nov 21, 2024

7.5

Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 1.6 / Impact: 5.9

Source: NVD

Description

CSRF tokens in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier did not expire, thereby allowing attackers able to obtain them to bypass CSRF protection.

Affected (2)

Products: Jenkins: Jenkins

Jenkins

1 product

Jenkins

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Jenkins Jenkins	Up to 2.185
Jenkins Jenkins	Up to 2.176.1

Related CWEs

CWE-352

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (10)

http://www.openwall.com/lists/oss-security/2019/07/17/2

Source: jenkinsci-cert@googlegroups.com

Mailing ListThird Party Advisory

http://www.securityfocus.com/bid/109373

Source: jenkinsci-cert@googlegroups.com

https://access.redhat.com/errata/RHSA-2019:2503

Source: jenkinsci-cert@googlegroups.com

https://access.redhat.com/errata/RHSA-2019:2548

Source: jenkinsci-cert@googlegroups.com

https://jenkins.io/security/advisory/2019-07-17/#SECURITY-626

Source: jenkinsci-cert@googlegroups.com

Vendor Advisory

http://www.openwall.com/lists/oss-security/2019/07/17/2