Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
NA

CVE-2019-10384

Published: 28/08/2019 Updated: 20/09/2019
CVSS v2 Base Score: 6.8 | Impact Score: 6.4 | Exploitability Score: 8.6
CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Subscribe to Jenkins

Vulnerability Summary

Jenkins 2.191 and previous versions, LTS 2.176.2 and previous versions allowed users to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire and could be used to bypass CSRF protection for the anonymous user.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

jenkins jenkins

Vendor Advisories

Red Hat: Important: OpenShift Container Platform 4.1.16 jenkins security update
Synopsis Important: OpenShift Container Platform 4116 jenkins security update Type/Severity Security Advisory: Important Topic An update for jenkins is now available for Red Hat OpenShift Container Platform 41Red Hat Product Security has rated this update as having a security impact of Important A Comm ...
Red Hat: Important: OpenShift Container Platform 3.11 jenkins security update
Synopsis Important: OpenShift Container Platform 311 jenkins security update Type/Severity Security Advisory: Important Topic An update for jenkins is now available for Red Hat OpenShift Container Platform 311Red Hat Product Security has rated this update as having a security impact of Important A Commo ...
Red Hat: CVE-2019-10384
Impact: Important Public Date: 2019-08-28 CWE: CWE-79 Bugzilla: 1747297: CVE-2019-10384 jenkins: CSRF p ...
Arch Linux Issues:
Jenkins allowed the creation of CSRF tokens without a corresponding web session ID This is the result of an incomplete fix for SECURITY-626 in the 2019-07-17 security advisory This allowed attackers able to obtain a CSRF token without associated session ID to implement CSRF attacks with the following constraints The token had to be created for t ...
Arch Linux Advisories: [ASA-201908-22] jenkins: multiple issues
Arch Linux Security Advisory ASA-201908-22 ========================================== Severity: Medium Date : 2019-08-30 CVE-ID : CVE-2019-10383 CVE-2019-10384 Package : jenkins Type : multiple issues Remote : Yes Link : securityarchlinuxorg/AVG-1030 Summary ======= The package jenkins before version 2192-1 is vulnerable to ...

Mailing Lists

Full Disclosure: Multiple vulnerabilities in Jenkins and Jenkins plugins
Jenkins is an open source automation server which enables developers around the world to reliably build, test, and deploy their software The following releases contain fixes for security vulnerabilities: * Jenkins weekly 2192 * Jenkins LTS 21763 * IBM Application Security on Cloud 125 * Splunk Plugin 180 Summaries of the vulnerabilities a ...

References

CWE-352http://www.openwall.com/lists/oss-security/2019/08/28/4https://access.redhat.com/errata/RHSA-2019:2789https://access.redhat.com/errata/RHSA-2019:3144https://jenkins.io/security/advisory/2019-08-28/#SECURITY-1491https://access.redhat.com/errata/RHSA-2019:2789https://nvd.nist.govhttps://exchange.xforce.ibmcloud.com/vulnerabilities/165983
VMScore
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2020-24686CVE-2021-21298CVE-2021-69420server-side request forgeryCVE-2021-23957microsoftSSTI.netSQLCVE-2021-21273CVE-2021-25281