{"containers": {"cna": {"affected": [{"product": "Jenkins", "vendor": "Jenkins project", "versions": [{"status": "affected", "version": "2.185 and earlier, LTS 2.176.1 and earlier"}]}], "descriptions": [{"lang": "en", "value": "CSRF tokens in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier did not expire, thereby allowing attackers able to obtain them to bypass CSRF protection."}], "providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2023-10-24T16:47:58.135Z"}, "references": [{"name": "[oss-security] 20190717 Multiple vulnerabilities in Jenkins", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2019/07/17/2"}, {"name": "109373", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/109373"}, {"name": "RHSA-2019:2503", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:2503"}, {"name": "RHSA-2019:2548", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:2548"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://jenkins.io/security/advisory/2019-07-17/#SECURITY-626"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "jenkinsci-cert@googlegroups.com", "ID": "CVE-2019-10353", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Jenkins", "version": {"version_data": [{"version_value": "2.185 and earlier, LTS 2.176.1 and earlier"}]}}]}, "vendor_name": "Jenkins project"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "CSRF tokens in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier did not expire, thereby allowing attackers able to obtain them to bypass CSRF protection."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-352"}]}]}, "references": {"reference_data": [{"name": "[oss-security] 20190717 Multiple vulnerabilities in Jenkins", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2019/07/17/2"}, {"name": "109373", "refsource": "BID", "url": "http://www.securityfocus.com/bid/109373"}, {"name": "RHSA-2019:2503", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:2503"}, {"name": "RHSA-2019:2548", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:2548"}, {"name": "https://jenkins.io/security/advisory/2019-07-17/#SECURITY-626", "refsource": "CONFIRM", "url": "https://jenkins.io/security/advisory/2019-07-17/#SECURITY-626"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T22:17:20.468Z"}, "title": "CVE Program Container", "references": [{"name": "[oss-security] 20190717 Multiple vulnerabilities in Jenkins", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2019/07/17/2"}, {"name": "109373", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/109373"}, {"name": "RHSA-2019:2503", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:2503"}, {"name": "RHSA-2019:2548", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:2548"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://jenkins.io/security/advisory/2019-07-17/#SECURITY-626"}]}]}, "cveMetadata": {"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2019-10353", "datePublished": "2019-07-17T15:45:13", "dateReserved": "2019-03-29T00:00:00", "dateUpdated": "2024-08-04T22:17:20.468Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*", "matchCriteriaId": "36061F39-5E8A-4308-B032-CACA3D215495", "versionEndIncluding": "2.176.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*", "matchCriteriaId": "096D9B21-29B1-40BD-AF5E-0802664D9F9A", "versionEndIncluding": "2.185", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "CSRF tokens in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier did not expire, thereby allowing attackers able to obtain them to bypass CSRF protection."}, {"lang": "es", "value": "Unos tokens de tipo CSRF en Jenkins versiones 2.185 y anteriores, LTS versiones 2.176.1 y anteriores, no expiraron, de este modo permitieron a atacantes capaces de lograrlo omitir la protecci\u00f3n de tipo CSRF."}], "id": "CVE-2019-10353", "lastModified": "2023-10-25T18:16:17.723", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 4.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-07-17T16:15:12.490", "references": [{"source": "jenkinsci-cert@googlegroups.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2019/07/17/2"}, {"source": "jenkinsci-cert@googlegroups.com", "url": "http://www.securityfocus.com/bid/109373"}, {"source": "jenkinsci-cert@googlegroups.com", "url": "https://access.redhat.com/errata/RHSA-2019:2503"}, {"source": "jenkinsci-cert@googlegroups.com", "url": "https://access.redhat.com/errata/RHSA-2019:2548"}, {"source": "jenkinsci-cert@googlegroups.com", "tags": ["Vendor Advisory"], "url": "https://jenkins.io/security/advisory/2019-07-17/#SECURITY-626"}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2019:2503", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "jenkins-0:2.176.2.1563460897-1.el7", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-08-15T00:00:00Z"}, {"advisory": "RHSA-2019:2548", "cpe": "cpe:/a:redhat:openshift:4.1::el7", "package": "jenkins-0:2.176.2.1563461785-1.el7", "product_name": "Red Hat OpenShift Container Platform 4.1", "release_date": "2019-08-28T00:00:00Z"}], "bugzilla": {"description": "jenkins: CSRF protection tokens did not expire (SECURITY-626)", "id": "1730877", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1730877"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.1", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L", "status": "verified"}, "cwe": "CWE-352", "details": ["CSRF tokens in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier did not expire, thereby allowing attackers able to obtain them to bypass CSRF protection.", "A flaw was found in Jenkins in weekly versions prior to 2.186 and LTS versions prior to 2.176.2. By default, CSRF tokens in Jenkins only checked user authentication and IP address which allowed attackers able to obtain a CSRF token for another user. This allowed an attacker to implement CSRF attacks as long as the victim\u2019s IP address remained unchanged. The highest threat from this vulnerability is to data confidentiality and integrity."], "name": "CVE-2019-10353", "package_state": [{"cpe": "cpe:/a:redhat:openshift:3.10", "fix_state": "Will not fix", "package_name": "jenkins", "product_name": "Red Hat OpenShift Container Platform 3.10"}, {"cpe": "cpe:/a:redhat:openshift:3.6", "fix_state": "Will not fix", "package_name": "jenkins", "product_name": "Red Hat OpenShift Container Platform 3.6"}, {"cpe": "cpe:/a:redhat:openshift:3.7", "fix_state": "Will not fix", "package_name": "jenkins", "product_name": "Red Hat OpenShift Container Platform 3.7"}, {"cpe": "cpe:/a:redhat:openshift:3.9", "fix_state": "Will not fix", "package_name": "jenkins", "product_name": "Red Hat OpenShift Container Platform 3.9"}], "public_date": "2019-07-17T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-10353\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-10353\nhttps://jenkins.io/security/advisory/2019-07-17/#SECURITY-626"], "threat_severity": "Important", "upstream_fix": "Jenkins LTS 2.176.2, jenkins weekly 2.186"}