vulnerability

Jenkins Advisory 2019-08-28: CVE-2019-10384: CSRF protection tokens for anonymous users did not expire in some circumstances

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
7	(AV:N/AC:M/Au:N/C:P/I:P/A:P)	Aug 28, 2019	Sep 6, 2019	Aug 11, 2025

Severity

CVSS

(AV:N/AC:M/Au:N/C:P/I:P/A:P)

Published

Aug 28, 2019

Added

Sep 6, 2019

Modified

Aug 11, 2025

Description

Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire and could be used to bypass CSRF protection for the anonymous user.

Solutions

jenkins-lts-upgrade-2_176_3jenkins-upgrade-2_192

References

CVE-2019-10384
https://attackerkb.com/topics/CVE-2019-10384
CWE-352
URL-https://jenkins.io/security/advisory/2019-08-28/

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today