Description

Jenkins 2.227 and earlier, LTS 2.204.5 and earlier uses different representations of request URL paths, which allows attackers to craft URLs that allow bypassing CSRF protection of any target URL.

Remediation

References

http://www.openwall.com/lists/oss-security/2020/03/25/2

https://jenkins.io/security/advisory/2020-03-25/#SECURITY-1774

Related Vulnerabilities

CVE-2022-41966 Vulnerability in maven package com.thoughtworks.xstream:xstream

CVE-2020-7663 Vulnerability in npm package websocket-extensions

CVE-2017-1000421 Vulnerability in npm package gifsicle

CVE-2022-24858 Vulnerability in npm package next-auth

CVE-2023-42794 Vulnerability in maven package org.apache.tomcat:tomcat

Severity

Critical

Classification

CWE-352 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Mailing List Third Party Advisory Vendor Advisory