cve-2019-10353
Vulnerability from cvelistv5
Published
2019-07-17 15:45
Modified
2024-08-04 22:17
Severity
Summary
CSRF tokens in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier did not expire, thereby allowing attackers able to obtain them to bypass CSRF protection.
References
Impacted products
Vendor | Product |
---|---|
Jenkins project | Jenkins |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T22:17:20.468Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "[oss-security] 20190717 Multiple vulnerabilities in Jenkins", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2019/07/17/2" }, { "name": "109373", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/109373" }, { "name": "RHSA-2019:2503", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2019:2503" }, { "name": "RHSA-2019:2548", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2019:2548" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://jenkins.io/security/advisory/2019-07-17/#SECURITY-626" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Jenkins", "vendor": "Jenkins project", "versions": [ { "status": "affected", "version": "2.185 and earlier, LTS 2.176.1 and earlier" } ] } ], "descriptions": [ { "lang": "en", "value": "CSRF tokens in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier did not expire, thereby allowing attackers able to obtain them to bypass CSRF protection." } ], "providerMetadata": { "dateUpdated": "2023-10-24T16:47:58.135Z", "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins" }, "references": [ { "name": "[oss-security] 20190717 Multiple vulnerabilities in Jenkins", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2019/07/17/2" }, { "name": "109373", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/109373" }, { "name": "RHSA-2019:2503", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2019:2503" }, { "name": "RHSA-2019:2548", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2019:2548" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://jenkins.io/security/advisory/2019-07-17/#SECURITY-626" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "jenkinsci-cert@googlegroups.com", "ID": "CVE-2019-10353", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Jenkins", "version": { "version_data": [ { "version_value": "2.185 and earlier, LTS 2.176.1 and earlier" } ] } } ] }, "vendor_name": "Jenkins project" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "CSRF tokens in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier did not expire, thereby allowing attackers able to obtain them to bypass CSRF protection." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-352" } ] } ] }, "references": { "reference_data": [ { "name": "[oss-security] 20190717 Multiple vulnerabilities in Jenkins", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2019/07/17/2" }, { "name": "109373", "refsource": "BID", "url": "http://www.securityfocus.com/bid/109373" }, { "name": "RHSA-2019:2503", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:2503" }, { "name": "RHSA-2019:2548", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:2548" }, { "name": "https://jenkins.io/security/advisory/2019-07-17/#SECURITY-626", "refsource": "CONFIRM", "url": "https://jenkins.io/security/advisory/2019-07-17/#SECURITY-626" } ] } } } }, "cveMetadata": { "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2019-10353", "datePublished": "2019-07-17T15:45:13", "dateReserved": "2019-03-29T00:00:00", "dateUpdated": "2024-08-04T22:17:20.468Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2019-10353\",\"sourceIdentifier\":\"jenkinsci-cert@googlegroups.com\",\"published\":\"2019-07-17T16:15:12.490\",\"lastModified\":\"2023-10-25T18:16:17.723\",\"vulnStatus\":\"Modified\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"CSRF tokens in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier did not expire, thereby allowing attackers able to obtain them to bypass CSRF protection.\"},{\"lang\":\"es\",\"value\":\"Unos tokens de tipo CSRF en Jenkins versiones 2.185 y anteriores, LTS versiones 2.176.1 y anteriores, no expiraron, de este modo permitieron a atacantes capaces de lograrlo omitir la protecci\u00f3n de tipo CSRF.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":1.6,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:H/Au:N/C:P/I:P/A:P\",\"accessVector\":\"NETWORK\",\"accessComplexity\":\"HIGH\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\",\"baseScore\":5.1},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":4.9,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-352\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*\",\"versionEndIncluding\":\"2.176.1\",\"matchCriteriaId\":\"36061F39-5E8A-4308-B032-CACA3D215495\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*\",\"versionEndIncluding\":\"2.185\",\"matchCriteriaId\":\"096D9B21-29B1-40BD-AF5E-0802664D9F9A\"}]}]}],\"references\":[{\"url\":\"http://www.openwall.com/lists/oss-security/2019/07/17/2\",\"source\":\"jenkinsci-cert@googlegroups.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/109373\",\"source\":\"jenkinsci-cert@googlegroups.com\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2019:2503\",\"source\":\"jenkinsci-cert@googlegroups.com\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2019:2548\",\"source\":\"jenkinsci-cert@googlegroups.com\"},{\"url\":\"https://jenkins.io/security/advisory/2019-07-17/#SECURITY-626\",\"source\":\"jenkinsci-cert@googlegroups.com\",\"tags\":[\"Vendor Advisory\"]}]}}" } }
Loading...