CVE-2019-10384

moderate-risk

Published 2019-08-28

Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire and could be used to bypass CSRF protection for the anonymous user.

Do I need to act?

0.15% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.8/10 High

NETWORK / LOW complexity

Affected Products (5)

Jenkins

Communications Cloud Native Core Automated Test Suite

Openshift Container Platform

Affected Vendors

Redhat Oracle Jenkins

References (10)

Mailing List http://www.openwall.com/lists/oss-security/2019/08/28/4

Third Party Advisory https://access.redhat.com/errata/RHSA-2019:2789

Third Party Advisory https://access.redhat.com/errata/RHSA-2019:3144

Vendor Advisory https://jenkins.io/security/advisory/2019-08-28/#SECURITY-1491

Patch https://www.oracle.com/security-alerts/cpuapr2022.html

Mailing List http://www.openwall.com/lists/oss-security/2019/08/28/4

Third Party Advisory https://access.redhat.com/errata/RHSA-2019:2789

Third Party Advisory https://access.redhat.com/errata/RHSA-2019:3144

Vendor Advisory https://jenkins.io/security/advisory/2019-08-28/#SECURITY-1491

Patch https://www.oracle.com/security-alerts/cpuapr2022.html

/ 100

moderate-risk

Severity 30/34 · Critical

Exploitability 1/34 · Minimal

Exposure 12/34 · Low