CVE-2019-10384
HIGH8.8EPSS 0.11%Cross-Site Request Forgery in Jenkins
發布日:2022/5/24修改日:2024/2/16
描述
Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire and could be used to bypass CSRF protection for the anonymous user.
受影響套件(1)
- Maven/org.jenkins-ci.main:jenkins-corefrom 0, < 2.176.3
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
參考連結(7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-10384
- WEBhttps://access.redhat.com/errata/RHSA-2019:2789
- WEBhttps://access.redhat.com/errata/RHSA-2019:3144
- WEBhttps://github.com/jenkinsci/jenkins/commit/ace5965b45ba77665e4dd168314665df63527a62
- WEBhttps://jenkins.io/security/advisory/2019-08-28/#SECURITY-1491
- WEBhttps://www.oracle.com/security-alerts/cpuapr2022.html
- WEBhttp://www.openwall.com/lists/oss-security/2019/08/28/4