{
  "threat_severity" : "Important",
  "public_date" : "2019-08-28T00:00:00Z",
  "bugzilla" : {
    "description" : "jenkins: CSRF protection tokens for anonymous users did not expire in some circumstances (SECURITY-1491)",
    "id" : "1747297",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1747297"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.1",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-79",
  "details" : [ "Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire and could be used to bypass CSRF protection for the anonymous user.", "A flaw was found in Jenkins. Users are allowed to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire and could be used to bypass CSRF protection for the anonymous user. The highest threat from this vulnerability is to data confidentiality and integrity." ],
  "affected_release" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 3.11",
    "release_date" : "2019-10-18T00:00:00Z",
    "advisory" : "RHSA-2019:3144",
    "cpe" : "cpe:/a:redhat:openshift:3.11::el7",
    "package" : "jenkins-0:2.176.3.1569349414-1.el7"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.1",
    "release_date" : "2019-09-20T00:00:00Z",
    "advisory" : "RHSA-2019:2789",
    "cpe" : "cpe:/a:redhat:openshift:4.1::el7",
    "package" : "jenkins-0:2.176.3.1568229898-1.el7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 3.10",
    "fix_state" : "Will not fix",
    "package_name" : "jenkins",
    "cpe" : "cpe:/a:redhat:openshift:3.10"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.9",
    "fix_state" : "Will not fix",
    "package_name" : "jenkins",
    "cpe" : "cpe:/a:redhat:openshift:3.9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-10384\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-10384\nhttps://jenkins.io/security/advisory/2019-08-28/#SECURITY-1491" ],
  "name" : "CVE-2019-10384",
  "csaw" : false
}