Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire and could be used to bypass CSRF protection for the anonymous user.
References
Link | Resource |
---|---|
http://www.openwall.com/lists/oss-security/2019/08/28/4 | Mailing List Third Party Advisory |
https://access.redhat.com/errata/RHSA-2019:2789 | Third Party Advisory |
https://access.redhat.com/errata/RHSA-2019:3144 | Third Party Advisory |
https://jenkins.io/security/advisory/2019-08-28/#SECURITY-1491 | Vendor Advisory |
https://www.oracle.com/security-alerts/cpuapr2022.html | Patch Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
History
No history.
Information
Published : 2019-08-28 16:15
Updated : 2024-02-28 17:08
NVD link : CVE-2019-10384
Mitre link : CVE-2019-10384
CVE.ORG link : CVE-2019-10384
JSON object : View
Products Affected
oracle
- communications_cloud_native_core_automated_test_suite
jenkins
- jenkins
redhat
- openshift_container_platform
CWE
CWE-352
Cross-Site Request Forgery (CSRF)