Description

Jenkins 2.227 and earlier, LTS 2.204.5 and earlier uses different representations of request URL paths, which allows attackers to craft URLs that allow bypassing CSRF protection of any target URL.

Remediation

References

http://www.openwall.com/lists/oss-security/2020/03/25/2

https://jenkins.io/security/advisory/2020-03-25/#SECURITY-1774

Related Vulnerabilities

CVE-2020-7238 Vulnerability in maven package io.netty:netty-codec-http

CVE-2021-22204 Vulnerability in npm package exiftool-vendored

CVE-2022-31129 Vulnerability in npm package moment

CVE-2021-26272 Vulnerability in npm package ckeditor4-dev

CVE-2021-23337 Vulnerability in maven package org.webjars.bowergithub.lodash:lodash

Severity

Critical

Classification

CWE-352 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Mailing List Third Party Advisory Vendor Advisory