CVE-2019-10384 – org.jenkins-ci.main:jenkins-core

Package

Manager: maven
Name: org.jenkins-ci.main:jenkins-core
Vulnerable Version: >=0 <2.176.3 || >=2.177 <2.192

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00508 pctl0.65333

Details

Cross-Site Request Forgery in Jenkins Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire and could be used to bypass CSRF protection for the anonymous user.

Metadata

Created: 2022-05-24T16:55:01Z
Modified: 2022-06-28T22:29:22Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-vcr8-h8qp-qj8h/GHSA-vcr8-h8qp-qj8h.json
CWE IDs: ["CWE-352"]
Alternative ID: GHSA-vcr8-h8qp-qj8h
Finding: F007
Auto approve: 1