Description
A race condition during Jenkins 2.94 and earlier; 2.89.1 and earlier startup could result in the wrong order of execution of commands during initialization. There is a very short window of time after startup during which Jenkins may no longer show the 'Please wait while Jenkins is getting ready to work' message but Cross-Site Request Forgery (CSRF) protection may not yet be effective.
Remediation
References
Related Vulnerabilities
Oracle JRE CVE-2012-1724 Vulnerability (CVE-2012-1724)
qdPM Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2020-26165)
Drupal Core 8.8.x Security Bypass (8.8.0 - 8.8.9)
XWiki Improper Authentication Vulnerability (CVE-2022-36092)
WordPress Plugin WooCommerce BuddyPress Integration Security Bypass (3.2.5)