https://bugzilla.redhat.com/show_bug.cgi?id=1730877
Bug ID: 1730877
Summary: CVE-2019-10353 jenkins: CSRF protection tokens did not
expire (SECURITY-626)
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Whiteboard: impact=important,public=20190717,reported=20190717,sou
rce=internet,cvss3=7.1/CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:
U/C:H/I:H/A:L,cwe=CWE-352,openshift-enterprise-3.6/jen
kins=new,openshift-enterprise-3.7/jenkins=new,openshif
t-enterprise-3.9/jenkins=new,openshift-enterprise-3.10
/jenkins=new,openshift-enterprise-3.11/jenkins=new,ope
nshift-enterprise-4.1/jenkins=new,fedora-all/jenkins=a
ffected
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: lpardo(a)redhat.com
CC: abenaiss(a)redhat.com, adam.kaplan(a)redhat.com,
ahardin(a)redhat.com, aos-bugs(a)redhat.com,
bleanhar(a)redhat.com, ccoleman(a)redhat.com,
dedgar(a)redhat.com, eparis(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jgoulding(a)redhat.com, jokerman(a)redhat.com,
mchappel(a)redhat.com, mizdebsk(a)redhat.com,
msrb(a)redhat.com, vbobade(a)redhat.com, wzheng(a)redhat.com
Target Milestone: ---
Classification: Other
A vulnerability was found in Jenkins versions weekly before 2.186 and LTS
before 2.176.2. By default, CSRF tokens in Jenkins only checked user
authentication and IP address. This allowed attackers able to obtain a CSRF
token for another user to implement CSRF attacks as long as the victim’s IP
address remained unchanged.
--
You are receiving this mail because:
You are on the CC list for the bug.