Description

Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire and could be used to bypass CSRF protection for the anonymous user.

Remediation

References

CVE-2019-10384

Related Vulnerabilities

Atlassian Jira Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2020-4025)

Oracle Database Server CVE-2010-0071 Vulnerability (CVE-2010-0071)

WordPress Plugin Smart Forms-when you need more than just a contact form Cross-Site Scripting (2.1.0)

Oracle JRE CVE-2019-2973 Vulnerability (CVE-2019-2973)

WordPress Plugin Feed Them Social-for Twitter feed, Youtube and more PHAR Deserialization (2.9.8.5)

Severity

High

Classification

CVE-2019-10384 CWE-352 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities