Description
Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire and could be used to bypass CSRF protection for the anonymous user.
Remediation
References
Related Vulnerabilities
WordPress Plugin Advanced Booking Calendar Cross-Site Scripting (1.6.7)
Joomla! Core 1.7.x Security Bypass (1.7.0 - 1.7.5)
Moodle Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2012-0800)
WordPress Plugin Broken Link Manager SQL Injection (0.6.5)
Jboss EAP Allocation of Resources Without Limits or Throttling Vulnerability (CVE-2020-10705)