Impact: Important Public Date: 2019-07-17 CWE: CWE-352 Bugzilla: 1730877: CVE-2019-10353 jenkins: CSRF protection tokens did not expire (SECURITY-626) CSRF tokens in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier did not expire, thereby allowing attackers able to obtain them to bypass CSRF protection.
The MITRE CVE dictionary describes this issue as:
Find out more about CVE-2019-10353 from the MITRE CVE dictionary dictionary and NIST NVD.
NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.
| CVSS3 Base Score | 7.1 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L |
| Attack Vector | Network |
| Attack Complexity | High |
| Privileges Required | None |
| User Interaction | Required |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity Impact | High |
| Availability Impact | Low |
| Platform | Package | State |
|---|---|---|
| Red Hat OpenShift Container Platform 4.1 | jenkins | Under investigation |
| Red Hat OpenShift Container Platform 3.9 | jenkins | Under investigation |
| Red Hat OpenShift Container Platform 3.7 | jenkins | Under investigation |
| Red Hat OpenShift Container Platform 3.6 | jenkins | Under investigation |
| Red Hat OpenShift Container Platform 3.11 | jenkins | Under investigation |
| Red Hat OpenShift Container Platform 3.10 | jenkins | Under investigation |
Vulmon