Description

Jenkins 2.227 and earlier, LTS 2.204.5 and earlier uses different representations of request URL paths, which allows attackers to craft URLs that allow bypassing CSRF protection of any target URL.

Remediation

References

https://jenkins.io/security/advisory/2020-03-25/#SECURITY-1774

http://www.openwall.com/lists/oss-security/2020/03/25/2

Related Vulnerabilities

CVE-2022-42890 Vulnerability in maven package org.apache.xmlgraphics:batik-script

CVE-2023-31419 Vulnerability in maven package org.elasticsearch:elasticsearch

CVE-2015-8315 Vulnerability in npm package millisecond

CVE-2021-43980 Vulnerability in maven package org.apache.tomcat:tomcat

CVE-2022-41966 Vulnerability in maven package com.thoughtworks.xstream:xstream

Severity

Critical

Classification

CWE-352 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Vendor Advisory Mailing List Third Party Advisory