CVE-2019-10384
HIGHJenkins < 2.176.3 - Cross-Site Request Forgery via Non-Expiring CSRF Tokens
Title source: llmDescription
Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire and could be used to bypass CSRF protection for the anonymous user.
References (5)
Core 5
Core References
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2019/08/28/4
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:2789
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:3144
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuapr2022.html
Vendor Advisory x_refsource_confirm
https://jenkins.io/security/advisory/2019-08-28/#SECURITY-1491
Scores
CVSS v3
8.8
EPSS
0.0011
EPSS Percentile
29.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-352
Status
published
Products (6)
jenkins/jenkins
< 2.176.2
jenkins/jenkins
< 2.191
oracle/communications_cloud_native_core_automated_test_suite
1.9.0
org.jenkins-ci.main/jenkins-core
0 - 2.176.3Maven
redhat/openshift_container_platform
3.11
redhat/openshift_container_platform
4.1
Published
Aug 28, 2019
Tracked Since
Feb 18, 2026