CVE-2019-10384
Cross-Site Request Forgery in Jenkins
8.8
HIGH
CVSS 3.1
EPSS 0.11%
Description
Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire and could be used to bypass CSRF protection for the anonymous user.
How to fix CVE-2019-10384
To remediate CVE-2019-10384, upgrade the affected package to a fixed version below.
- —upgrade to 2.176.3 or later
Is CVE-2019-10384 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 2.176.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |