-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stemmed from CSRF tokens not being tied to web sessions for anonymous users. The commit diff shows removal of the getSessionId method that returned 'NO_SESSION' when no session existed, and replacement with direct session ID retrieval that forces session creation. This indicates the original getSessionId implementation allowed token generation without session binding, making it the root cause. The test cases added in DefaultCrumbIssuerSEC1491Test verify session binding requirements, confirming the vulnerability's nature.
JavaJava| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.jenkins-ci.main:jenkins-core | maven | <= 2.176.2 | 2.176.3 |
| org.jenkins-ci.main:jenkins-core | maven | >= 2.177, <= 2.191 | 2.192 |