Bug 1526596 - jenkins: CSRF protection delayed after startup
Summary: jenkins: CSRF protection delayed after startup
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1526597 1526598 1565308
Blocks: 1526600
TreeView+ depends on / blocked
 
Reported: 2017-12-15 19:29 UTC by Pedro Sampaio
Modified: 2021-10-21 11:58 UTC (History)
11 users (show)

Fixed In Version: jenkins 2.95, jenkins 2.89.2
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-10-21 11:58:23 UTC
Embargoed:


Attachments (Terms of Use)

Description Pedro Sampaio 2017-12-15 19:29:39 UTC
A race condition during Jenkins startup could result in the wrong order of execution of commands during initialization.

There’s a very short window of time after startup during which Jenkins may no longer show the "Please wait while Jenkins is getting ready to work" message, but Cross-Site Request Forgery (CSRF) protection may not yet be effective.

External references:

https://jenkins.io/security/advisory/2017-12-14/

Comment 1 Pedro Sampaio 2017-12-15 19:30:31 UTC
Created jenkins tracking bugs for this issue:

Affects: fedora-all [bug 1526598]
Affects: openshift-1 [bug 1526597]


Note You need to log in before you can comment on or make changes to this bug.