Описание
Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire and could be used to bypass CSRF protection for the anonymous user.
A flaw was found in Jenkins. Users are allowed to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire and could be used to bypass CSRF protection for the anonymous user. The highest threat from this vulnerability is to data confidentiality and integrity.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat OpenShift Container Platform 3.10 | jenkins | Will not fix | ||
| Red Hat OpenShift Container Platform 3.9 | jenkins | Will not fix | ||
| Red Hat OpenShift Container Platform 3.11 | jenkins | Fixed | RHSA-2019:3144 | 18.10.2019 |
| Red Hat OpenShift Container Platform 4.1 | jenkins | Fixed | RHSA-2019:2789 | 20.09.2019 |
Показывать по
Дополнительная информация
Статус:
7.1 High
CVSS3
Связанные уязвимости
Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire and could be used to bypass CSRF protection for the anonymous user.
Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to ob ...
Уязвимость сервера автоматизации Jenkins, связанная с межсайтовой фальсификацией запросов, позволяющая нарушителю оказать воздействие на целостность, конфиденциальность и доступность защищаемой информации
7.1 High
CVSS3