CVE-2017-1000504
HIGHJenkins < 2.89.1, < 2.94, >=2.81 <2.89.2 - Cross-Site Request Forgery via Race Condition During Startup
Title source: llmDescription
A race condition during Jenkins 2.94 and earlier; 2.89.1 and earlier startup could result in the wrong order of execution of commands during initialization. There is a very short window of time after startup during which Jenkins may no longer show the 'Please wait while Jenkins is getting ready to work' message but Cross-Site Request Forgery (CSRF) protection may not yet be effective.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://jenkins.io/security/advisory/2017-12-14/
Scores
CVSS v3
8.1
EPSS
0.0115
EPSS Percentile
78.7%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-352
Status
published
Products (3)
jenkins/jenkins
< 2.89.1
jenkins/jenkins
< 2.94
org.jenkins-ci.main/jenkins-core
2.81 - 2.89.2Maven
Published
Jan 24, 2018
Tracked Since
Feb 18, 2026