Miggo Logo

CVE-2019-10353: Cross-Site Request Forgery in Jenkins

7.5

CVSS Score
3.0

Basic Information

EPSS Score
0.42536%
Published
5/24/2022
Updated
12/6/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.main:jenkins-coremaven<= 2.176.12.176.2
org.jenkins-ci.main:jenkins-coremaven>= 2.177, <= 2.1852.186

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from CSRF tokens not expiring due to missing session binding. The commit 7721523 shows the fix added session ID to the crumb calculation in DefaultCrumbIssuer.issueCrumb(). The pre-patch code (lines 75-87) lacked session ID inclusion, while post-patch added session ID checks. The test case DefaultCrumbIssuerSEC626Test explicitly validates session-bound token expiration, confirming this function's role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*SR* tok*ns in J*nkins *.*** *n* **rli*r, LTS *.***.* *n* **rli*r *i* not *xpir*, t**r**y *llowin* *tt**k*rs **l* to o*t*in t**m to *yp*ss *SR* prot**tion.

Reasoning

T** vuln*r**ility st*mm** *rom *SR* tok*ns not *xpirin* *u* to missin* s*ssion *in*in*. T** *ommit ******* s*ows t** *ix ***** s*ssion I* to t** *rum* **l*ul*tion in `****ult*rum*Issu*r.issu**rum*()`. T** pr*-p*t** *o** (lin*s **-**) l**k** s*ssion I