1819190 – (CVE-2020-2160) CVE-2020-2160 jenkins: CSRF protection bypass via crafted URLs

Bug 1819190 (CVE-2020-2160) - CVE-2020-2160 jenkins: CSRF protection bypass via crafted URLs

Summary: CVE-2020-2160 jenkins: CSRF protection bypass via crafted URLs

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2020-2160
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1819497 1819501 1819505 1820017 1820018 1873174 1877292
Blocks:	1819191
TreeView+	depends on / blocked

Reported:	2020-03-31 12:31 UTC by Dhananjay Arunesh
Modified:	2021-10-28 01:16 UTC (History)
CC List:	13 users (show)
Fixed In Version:	jenkins LTS 2.204.6, jenkins LTS 2.222.1, jenkins 2.228
Clone Of:
Environment:
Last Closed:	2021-10-28 01:16:30 UTC
Embargoed:

Attachments	(Terms of Use)

Description Dhananjay Arunesh 2020-03-31 12:31:56 UTC

A vulnerability was found in Jenkins 2.227 and earlier, LTS 2.204.5 and earlier uses different representations of request URL paths, which allows attackers to craft URLs that allow bypassing CSRF protection of any target URL.

Reference:
http://www.openwall.com/lists/oss-security/2020/03/25/2

Comment 1 Dhananjay Arunesh 2020-03-31 12:34:49 UTC

External References:

https://jenkins.io/security/advisory/2020-03-25/#SECURITY-1774

Note You need to log in before you can comment on or make changes to this bug.