ghsa-hcxf-rq72-h4rr
Vulnerability from github
Published
2022-05-24 16:50
Modified
2022-06-28 22:58
Severity
Summary
Cross-Site Request Forgery in Jenkins
Details
CSRF tokens in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier did not expire, thereby allowing attackers able to obtain them to bypass CSRF protection.
{ "affected": [ { "database_specific": { "last_known_affected_version_range": "\u003c= 2.176.1" }, "package": { "ecosystem": "Maven", "name": "org.jenkins-ci.main:jenkins-core" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "2.176.2" } ], "type": "ECOSYSTEM" } ] }, { "database_specific": { "last_known_affected_version_range": "\u003c= 2.185" }, "package": { "ecosystem": "Maven", "name": "org.jenkins-ci.main:jenkins-core" }, "ranges": [ { "events": [ { "introduced": "2.177" }, { "fixed": "2.186" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2019-10353" ], "database_specific": { "cwe_ids": [ "CWE-352" ], "github_reviewed": true, "github_reviewed_at": "2022-06-28T22:58:52Z", "nvd_published_at": "2019-07-17T16:15:00Z", "severity": "HIGH" }, "details": "CSRF tokens in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier did not expire, thereby allowing attackers able to obtain them to bypass CSRF protection.", "id": "GHSA-hcxf-rq72-h4rr", "modified": "2022-06-28T22:58:52Z", "published": "2022-05-24T16:50:30Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10353" }, { "type": "WEB", "url": "https://github.com/jenkinsci/jenkins/commit/772152315aa0a9ba27b812a4ba0f3f9b64af78d9" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:2503" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:2548" }, { "type": "WEB", "url": "https://jenkins.io/security/advisory/2019-07-17/#SECURITY-626" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2019/07/17/2" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "type": "CVSS_V3" } ], "summary": "Cross-Site Request Forgery in Jenkins" }
Loading...