Description

Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire and could be used to bypass CSRF protection for the anonymous user.

Remediation

References

CVE-2019-10384

Related Vulnerabilities

WordPress Plugin Two-Factor Authentication-Clockwork SMS Cross-Site Scripting (1.0.3)

WordPress Plugin Quiz and Survey Master (QSM)-Easy Quiz and Survey Maker Unspecified Vulnerability (6.3.5)

phpMyFAQ Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2023-0792)

OpenSSL Numeric Errors Vulnerability (CVE-2016-2181)

WordPress Plugin Responsive Slider-Image Slider-Slideshow for WordPress Multiple Vulnerabilities (2.7.5)

Severity

High

Classification

CVE-2019-10384 CWE-352 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities