GSA_kwCzR0hTQS12Y3I4LWg4cXAtcWo4aM4AAh6e

High EPSS: 0.00165% (0.38321 Percentile) EPSS:

Permalink JSON

Cross-Site Request Forgery in Jenkins

Affected Packages	Affected Versions	Fixed Versions
maven:org.jenkins-ci.main:jenkins-core	>= 2.177, <= 2.191, <= 2.176.2	2.192, 2.176.3

Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire and could be used to bypass CSRF protection for the anonymous user.

References:

https://nvd.nist.gov/vuln/detail/CVE-2019-10384
https://access.redhat.com/errata/RHSA-2019:2789
https://access.redhat.com/errata/RHSA-2019:3144
https://jenkins.io/security/advisory/2019-08-28/#SECURITY-1491
https://www.oracle.com/security-alerts/cpuapr2022.html
http://www.openwall.com/lists/oss-security/2019/08/28/4
https://github.com/jenkinsci/jenkins/commit/ace5965b45ba77665e4dd168314665df63527a62
https://github.com/advisories/GHSA-vcr8-h8qp-qj8h

Identifiers

GHSA-vcr8-h8qp-qj8h

CVE-2019-10384

Risk

Severity

High

EPSS

EPSS Percentage: 0.00165

EPSS Percentile: 0.38321

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/jenkinsci/jenkins

Date and time

Published

about 3 years ago

Updated

over 1 year ago

API

JSON

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories