6.8
CVSSv2

CVE-2019-10384

Published: 28/08/2019 Updated: 20/09/2019
CVSS v2 Base Score: 6.8 | Impact Score: 6.4 | Exploitability Score: 8.6
CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Summary

Jenkins 2.191 and previous versions, LTS 2.176.2 and previous versions allowed users to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire and could be used to bypass CSRF protection for the anonymous user.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

jenkins jenkins

Vendor Advisories

Synopsis Important: OpenShift Container Platform 311 jenkins security update Type/Severity Security Advisory: Important Topic An update for jenkins is now available for Red Hat OpenShift Container Platform 311Red Hat Product Security has rated this update as having a security impact of Important A Commo ...
Synopsis Important: OpenShift Container Platform 4116 jenkins security update Type/Severity Security Advisory: Important Topic An update for jenkins is now available for Red Hat OpenShift Container Platform 41Red Hat Product Security has rated this update as having a security impact of Important A Comm ...
Impact: Important Public Date: 2019-08-28 CWE: CWE-79 Bugzilla: 1747297: CVE-2019-10384 jenkins: CSRF p ...
Jenkins allowed the creation of CSRF tokens without a corresponding web session ID This is the result of an incomplete fix for SECURITY-626 in the 2019-07-17 security advisory This allowed attackers able to obtain a CSRF token without associated session ID to implement CSRF attacks with the following constraints The token had to be created for t ...
Arch Linux Security Advisory ASA-201908-22 ========================================== Severity: Medium Date : 2019-08-30 CVE-ID : CVE-2019-10383 CVE-2019-10384 Package : jenkins Type : multiple issues Remote : Yes Link : securityarchlinuxorg/AVG-1030 Summary ======= The package jenkins before version 2192-1 is vulnerable to ...

Mailing Lists

Jenkins is an open source automation server which enables developers around the world to reliably build, test, and deploy their software The following releases contain fixes for security vulnerabilities: * Jenkins weekly 2192 * Jenkins LTS 21763 * IBM Application Security on Cloud 125 * Splunk Plugin 180 Summaries of the vulnerabilities a ...