CVE-2019-10353

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.185 and earlier Jenkins LTS versions 2.176.1 and earlier

Description The issue is related to the absence of a web session identifier in Jenkins, which can be exploited by a remote attacker to perform a cross-site request forgery (CSRF) attack and gain unauthorized access to protected information. Specifically, CSRF tokens in affected Jenkins versions did not expire, allowing attackers who obtain them to bypass CSRF protection.

Recommendations For Jenkins versions 2.185 and earlier, update to a version where CSRF tokens expire to prevent bypassing of CSRF protection. For Jenkins LTS versions 2.176.1 and earlier, update to a version where CSRF tokens expire to prevent bypassing of CSRF protection.