Vulnerability Description
Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire and could be used to bypass CSRF protection for the anonymous user.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Jenkins | Jenkins | <= 2.176.2 |
| Oracle | Communications Cloud Native Core Automated Test Suite | 1.9.0 |
| Redhat | Openshift Container Platform | 3.11 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2019/08/28/4Mailing ListThird Party Advisory
- https://access.redhat.com/errata/RHSA-2019:2789Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:3144Third Party Advisory
- https://jenkins.io/security/advisory/2019-08-28/#SECURITY-1491Vendor Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
- http://www.openwall.com/lists/oss-security/2019/08/28/4Mailing ListThird Party Advisory
- https://access.redhat.com/errata/RHSA-2019:2789Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:3144Third Party Advisory
- https://jenkins.io/security/advisory/2019-08-28/#SECURITY-1491Vendor Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
FAQ
What is CVE-2019-10384?
CVE-2019-10384 is a vulnerability with a CVSS score of 8.8 (HIGH). Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire and could be used to bypass CS...
How severe is CVE-2019-10384?
CVE-2019-10384 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-10384?
Check the references section above for vendor advisories and patch information. Affected products include: Jenkins Jenkins, Oracle Communications Cloud Native Core Automated Test Suite, Redhat Openshift Container Platform.