Jenkins < 2.176.3 LTS / 2.192 Multiple Vulnerabilities
Medium Nessus Plugin ID 129776
SynopsisA job scheduling and management system hosted on the remote web server is affected by multiple vulnerabilities.
DescriptionThe version of Jenkins running on the remote web server is prior to 2.192 or is a version of Jenkins LTS prior to 2.176.3. It is, therefore, affected by multiple vulnerabilities:
- A Cross-site request forgery (XSRF) vulnerability exists in Jenkins, caused by an incomplete fix for SECURITY-626. This allowed users to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire. An unauthenticated, remote attacker can exploit this to bypass CSRF protections for the anonymous user. (CVE-2019-10384)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
SolutionUpgrade Jenkins to version 2.192 or later, Jenkins LTS to version 2.176.3 or later.