Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire and could be used to bypass CSRF protection for the anonymous user.
References
Link | Resource |
---|---|
http://www.openwall.com/lists/oss-security/2019/08/28/4 | Mailing List Third Party Advisory |
https://access.redhat.com/errata/RHSA-2019:2789 | Third Party Advisory |
https://access.redhat.com/errata/RHSA-2019:3144 | Third Party Advisory |
https://jenkins.io/security/advisory/2019-08-28/#SECURITY-1491 | Vendor Advisory |
https://www.oracle.com/security-alerts/cpuapr2022.html | Patch Third Party Advisory |
http://www.openwall.com/lists/oss-security/2019/08/28/4 | Mailing List Third Party Advisory |
https://access.redhat.com/errata/RHSA-2019:2789 | Third Party Advisory |
https://access.redhat.com/errata/RHSA-2019:3144 | Third Party Advisory |
https://jenkins.io/security/advisory/2019-08-28/#SECURITY-1491 | Vendor Advisory |
https://www.oracle.com/security-alerts/cpuapr2022.html | Patch Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
History
21 Nov 2024, 04:19
Type | Values Removed | Values Added |
---|---|---|
References | () http://www.openwall.com/lists/oss-security/2019/08/28/4 - Mailing List, Third Party Advisory | |
References | () https://access.redhat.com/errata/RHSA-2019:2789 - Third Party Advisory | |
References | () https://access.redhat.com/errata/RHSA-2019:3144 - Third Party Advisory | |
References | () https://jenkins.io/security/advisory/2019-08-28/#SECURITY-1491 - Vendor Advisory | |
References | () https://www.oracle.com/security-alerts/cpuapr2022.html - Patch, Third Party Advisory |
Information
Published : 2019-08-28 16:15
Updated : 2024-11-21 04:19
NVD link : CVE-2019-10384
Mitre link : CVE-2019-10384
CVE.ORG link : CVE-2019-10384
JSON object : View
Products Affected
oracle
- communications_cloud_native_core_automated_test_suite
redhat
- openshift_container_platform
jenkins
- jenkins
CWE
CWE-352
Cross-Site Request Forgery (CSRF)