CVE-2019-10384

EUVD-2022-5344
Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire and could be used to bypass CSRF protection for the anonymous user.
CSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 35%
Affected Products (NVD)
VendorProductVersion
jenkinsjenkins
𝑥
≤ 2.176.2
jenkinsjenkins
𝑥
≤ 2.191
oraclecommunications_cloud_native_core_automated_test_suite
1.9.0
redhatopenshift_container_platform
3.11
redhatopenshift_container_platform
4.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://www.openwall.com/lists/oss-security/2019/08/28/4
https://access.redhat.com/errata/RHSA-2019:2789
https://access.redhat.com/errata/RHSA-2019:3144
https://jenkins.io/security/advisory/2019-08-28/#SECURITY-1491
https://www.oracle.com/security-alerts/cpuapr2022.html
http://www.openwall.com/lists/oss-security/2019/08/28/4
https://access.redhat.com/errata/RHSA-2019:2789
https://access.redhat.com/errata/RHSA-2019:3144
https://jenkins.io/security/advisory/2019-08-28/#SECURITY-1491
https://www.oracle.com/security-alerts/cpuapr2022.html