CVE-2019-10384
jenkins: CSRF protection tokens for anonymous users did not expire in some circumstances (SECURITY-1491)
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire and could be used to bypass CSRF protection for the anonymous user.
Jenkins 2.191 y anteriores, LTS 2.176.2 y anteriores permitieron a los usuarios obtener tokens CSRF sin un ID de sesión web asociado, lo que resultó en tokens CSRF que no caducaron y podrían usarse para omitir la protección CSRF para el usuario anónimo.
A flaw was found in Jenkins. Users are allowed to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire and could be used to bypass CSRF protection for the anonymous user. The highest threat from this vulnerability is to data confidentiality and integrity.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-03-29 CVE Reserved
- 2019-08-28 CVE Published
- 2024-08-04 CVE Updated
- 2024-08-21 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CWE-352: Cross-Site Request Forgery (CSRF)
CAPEC
References (7)
URL | Tag | Source |
---|---|---|
http://www.openwall.com/lists/oss-security/2019/08/28/4 | Mailing List |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://www.oracle.com/security-alerts/cpuapr2022.html | 2023-10-25 |
URL | Date | SRC |
---|---|---|
https://access.redhat.com/errata/RHSA-2019:2789 | 2023-10-25 | |
https://access.redhat.com/errata/RHSA-2019:3144 | 2023-10-25 | |
https://jenkins.io/security/advisory/2019-08-28/#SECURITY-1491 | 2023-10-25 | |
https://access.redhat.com/security/cve/CVE-2019-10384 | 2019-10-18 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1747297 | 2019-10-18 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Jenkins Search vendor "Jenkins" | Jenkins Search vendor "Jenkins" for product "Jenkins" | <= 2.176.2 Search vendor "Jenkins" for product "Jenkins" and version " <= 2.176.2" | lts |
Affected
| ||||||
Jenkins Search vendor "Jenkins" | Jenkins Search vendor "Jenkins" for product "Jenkins" | <= 2.191 Search vendor "Jenkins" for product "Jenkins" and version " <= 2.191" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Cloud Native Core Automated Test Suite Search vendor "Oracle" for product "Communications Cloud Native Core Automated Test Suite" | 1.9.0 Search vendor "Oracle" for product "Communications Cloud Native Core Automated Test Suite" and version "1.9.0" | - |
Affected
| ||||||
Redhat Search vendor "Redhat" | Openshift Container Platform Search vendor "Redhat" for product "Openshift Container Platform" | 3.11 Search vendor "Redhat" for product "Openshift Container Platform" and version "3.11" | - |
Affected
| ||||||
Redhat Search vendor "Redhat" | Openshift Container Platform Search vendor "Redhat" for product "Openshift Container Platform" | 4.1 Search vendor "Redhat" for product "Openshift Container Platform" and version "4.1" | - |
Affected
|