-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe analysis of the provided patch commit reveals a classic Cross-Site Request Forgery (CSRF) vulnerability in the Jenkins login form. The core of the vulnerability was the lack of a CSRF token check when processing a login request. The patch introduces this check by overriding the attemptAuthentication method in the hudson.security.AuthenticationProcessingFilter2 class. This class is a filter responsible for processing username/password authentication. The patch adds logic to validate a CSRF token (referred to as a 'crumb' in Jenkins) from the request parameters or headers. If the token is missing or invalid, the authentication attempt is rejected. The modifications to the Jelly files (login.jelly and authenticate-security-token.jelly) are complementary, ensuring that the CSRF token is included in the login forms presented to the user. Therefore, the attemptAuthentication method is the precise location where the vulnerability existed and was fixed. A runtime profiler would show this function in the stack trace during a login attempt, and its presence without the CSRF check is the indicator of the vulnerability.
hudson.security.AuthenticationProcessingFilter2.attemptAuthenticationcore/src/main/java/hudson/security/AuthenticationProcessingFilter2.java
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.jenkins-ci.main:jenkins-core | maven | >= 2.529, < 2.541 | 2.541 |
| org.jenkins-ci.main:jenkins-core | maven | < 2.528.3 | 2.528.3 |