Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire and could be used to bypass CSRF protection for the anonymous user.

Affected Packages

Maven org.jenkins-ci.main:jenkins-core

Affected versions: 0 (fixed in 2.176.3)

Maven org.jenkins-ci.main:jenkins-core

Affected versions: 2.177 (fixed in 2.192)

Related CVEs

CVE-2019-10384

Key Information

GHSA ID

GHSA-vcr8-h8qp-qj8h

Published

May 24, 2022 4:55 PM

Last Modified

June 28, 2022 10:29 PM

CVSS Score

7.5 /10

Primary Ecosystem

Maven

Primary Package

org.jenkins-ci.main:jenkins-core

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 24, 2025 6:28 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.