Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2019-10384

Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire and could be used to bypass CSRF protection for the anonymous user.

Published

2019-08-28T16:15:10.983

Last Modified

2024-11-21T04:19:01.147

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 8.8 (HIGH)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

8.6

Impact Score

6.4

Weaknesses

Type: Primary
CWE-352

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	jenkins	jenkins	≤ 2.176.2	Yes
Application	jenkins	jenkins	≤ 2.191	Yes
Application	oracle	communications_cloud_native_core_automated_test_suite	1.9.0	Yes
Application	redhat	openshift_container_platform	3.11	Yes
Application	redhat	openshift_container_platform	4.1	Yes

References

http://www.openwall.com/lists/oss-security/2019/08/28/4 Mailing List, Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:2789 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:3144 Third Party Advisory ([email protected])
https://jenkins.io/security/advisory/2019-08-28/#SECURITY-1491 Vendor Advisory ([email protected])
https://www.oracle.com/security-alerts/cpuapr2022.html Patch, Third Party Advisory ([email protected])
http://www.openwall.com/lists/oss-security/2019/08/28/4 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:2789 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:3144 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://jenkins.io/security/advisory/2019-08-28/#SECURITY-1491 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpuapr2022.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)