ghsa-vcr8-h8qp-qj8h
Vulnerability from github
Published
2022-05-24 16:55
Modified
2022-06-28 22:29
Severity
Summary
Cross-Site Request Forgery in Jenkins
Details
Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire and could be used to bypass CSRF protection for the anonymous user.
{ "affected": [ { "database_specific": { "last_known_affected_version_range": "\u003c= 2.176.2" }, "package": { "ecosystem": "Maven", "name": "org.jenkins-ci.main:jenkins-core" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "2.176.3" } ], "type": "ECOSYSTEM" } ] }, { "database_specific": { "last_known_affected_version_range": "\u003c= 2.191" }, "package": { "ecosystem": "Maven", "name": "org.jenkins-ci.main:jenkins-core" }, "ranges": [ { "events": [ { "introduced": "2.177" }, { "fixed": "2.192" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2019-10384" ], "database_specific": { "cwe_ids": [ "CWE-352" ], "github_reviewed": true, "github_reviewed_at": "2022-06-28T22:29:22Z", "nvd_published_at": "2019-08-28T16:15:00Z", "severity": "HIGH" }, "details": "Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire and could be used to bypass CSRF protection for the anonymous user.", "id": "GHSA-vcr8-h8qp-qj8h", "modified": "2022-06-28T22:29:22Z", "published": "2022-05-24T16:55:01Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10384" }, { "type": "WEB", "url": "https://github.com/jenkinsci/jenkins/commit/ace5965b45ba77665e4dd168314665df63527a62" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:2789" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3144" }, { "type": "WEB", "url": "https://jenkins.io/security/advisory/2019-08-28/#SECURITY-1491" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2019/08/28/4" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "type": "CVSS_V3" } ], "summary": "Cross-Site Request Forgery in Jenkins" }
Loading...