CVE-2017-1000504: Cross-Site Request Forgery in Jenkins
8.1
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.84319%
CWE
Published
5/14/2022
Updated
3/4/2024
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.jenkins-ci.main:jenkins-core | maven | >= 2.81, <= 2.89.1 | 2.89.2 |
org.jenkins-ci.main:jenkins-core | maven | >= 2.90, <= 2.94 | 2.95 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper task synchronization during Jenkins' initialization sequence. The patch adds '.attains(COMPLETED)'
to two reactor tasks in Jenkins.java
, indicating these were the missing synchronization points. These anonymous Executable
implementations (run()
) handle critical post-load operations but weren't properly sequenced with the COMPLETED
state before the fix. This allowed the system to report readiness while CSRF
protection remained uninitialized, creating the race condition window.