← Back

CVE-2019-10384

nvd nist
Published: Aug 28, 2019Modified: Nov 21, 2024

JSON object

Loading...
8.8
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Exploitability: 2.8 / Impact: 5.9
Source: NVD

Description

Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire and could be used to bypass CSRF protection for the anonymous user.

Affected (5)

Jenkins
1 product
Jenkins
Oracle
1 product
Communications Cloud Native Core Automated Test Suite
Redhat
1 product
Openshift Container Platform
Configuration A
2 vulnerable
Vulnerable SoftwareAffected Versions
Jenkins
Jenkins
Up to 2.191
Jenkins
Up to 2.176.2
Configuration B
1 vulnerable
Vulnerable SoftwareAffected Versions
Communications Cloud Native Core Automated Test Suite
Version 1.9.0
Configuration C
2 vulnerable
Vulnerable SoftwareAffected Versions
Redhat
Openshift Container Platform
Version 3.11
Openshift Container Platform
Version 4.1

Related CWEs

CWE-352
Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (10)

Source: jenkinsci-cert@googlegroups.com
Mailing ListThird Party Advisory
Source: jenkinsci-cert@googlegroups.com
Third Party Advisory
Source: jenkinsci-cert@googlegroups.com
Third Party Advisory
Source: jenkinsci-cert@googlegroups.com
Vendor Advisory
Source: jenkinsci-cert@googlegroups.com
PatchThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing ListThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
PatchThird Party Advisory

Timeline

No history available yet.