Описание
Cross-Site Request Forgery in Jenkins
Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire and could be used to bypass CSRF protection for the anonymous user.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2019-10384
- https://github.com/jenkinsci/jenkins/commit/ace5965b45ba77665e4dd168314665df63527a62
- https://access.redhat.com/errata/RHSA-2019:2789
- https://access.redhat.com/errata/RHSA-2019:3144
- https://jenkins.io/security/advisory/2019-08-28/#SECURITY-1491
- https://www.oracle.com/security-alerts/cpuapr2022.html
- http://www.openwall.com/lists/oss-security/2019/08/28/4
Пакеты
org.jenkins-ci.main:jenkins-core
<= 2.176.2
2.176.3
org.jenkins-ci.main:jenkins-core
>= 2.177, <= 2.191
2.192
Связанные уязвимости
Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire and could be used to bypass CSRF protection for the anonymous user.
Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire and could be used to bypass CSRF protection for the anonymous user.
Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to ob ...
Уязвимость сервера автоматизации Jenkins, связанная с межсайтовой фальсификацией запросов, позволяющая нарушителю оказать воздействие на целостность, конфиденциальность и доступность защищаемой информации