Description

Jenkins 2.227 and earlier, LTS 2.204.5 and earlier uses different representations of request URL paths, which allows attackers to craft URLs that allow bypassing CSRF protection of any target URL.

Remediation

References

http://www.openwall.com/lists/oss-security/2020/03/25/2

https://jenkins.io/security/advisory/2020-03-25/#SECURITY-1774

Related Vulnerabilities

CVE-2022-28367 Vulnerability in maven package org.owasp:antisamy

CVE-2023-44487 Vulnerability in maven package org.apache.tomcat:tomcat-coyote

CVE-2020-8124 Vulnerability in maven package org.webjars.npm:url-parse

CVE-2019-10362 Vulnerability in maven package io.jenkins:configuration-as-code

CVE-2020-7639 Vulnerability in npm package eivindfjeldstad-dot

Severity

Critical

Classification

CWE-352 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Mailing List Third Party Advisory Vendor Advisory