Miggo Logo

CVE-2017-1000504: Cross-Site Request Forgery in Jenkins

8.1

CVSS Score
3.0

Basic Information

EPSS Score
0.84319%
Published
5/14/2022
Updated
3/4/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.main:jenkins-coremaven>= 2.81, <= 2.89.12.89.2
org.jenkins-ci.main:jenkins-coremaven>= 2.90, <= 2.942.95

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper task synchronization during Jenkins' initialization sequence. The patch adds '.attains(COMPLETED)' to two reactor tasks in Jenkins.java, indicating these were the missing synchronization points. These anonymous Executable implementations (run()) handle critical post-load operations but weren't properly sequenced with the COMPLETED state before the fix. This allowed the system to report readiness while CSRF protection remained uninitialized, creating the race condition window.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* r*** *on*ition *urin* J*nkins *.** *n* **rli*r; *.**.* *n* **rli*r st*rtup *oul* r*sult in t** wron* or**r o* *x**ution o* *omm*n*s *urin* initi*liz*tion. T**r* is * v*ry s*ort win*ow o* tim* **t*r st*rtup *urin* w*i** J*nkins m*y no lon**r s*ow t*

Reasoning

T** vuln*r**ility st*ms *rom improp*r t*sk syn**roniz*tion *urin* J*nkins' initi*liz*tion s*qu*n**. T** p*t** ***s `'.*tt*ins(*OMPL*T**)'` to two r***tor t*sks in `J*nkins.j*v*`, in*i**tin* t**s* w*r* t** missin* syn**roniz*tion points. T**s* *nonymo