Jenkins Vulnerable to Cross-Site Request Forgery (CSRF) Attack
Low severity
GitHub Reviewed
Published
May 13, 2022
to the GitHub Advisory Database
•
Updated Mar 13, 2025
Package
Affected versions
< 1.625.2
>= 1.626, < 1.638
Patched versions
1.625.2
1.638
Description
Published by the National Vulnerability Database
Nov 25, 2015
Published to the GitHub Advisory Database
May 13, 2022
Reviewed
Mar 13, 2025
Last updated
Mar 13, 2025
Jenkins before 1.638 and LTS before 1.625.2 uses a publicly accessible salt to generate CSRF protection tokens, which makes it easier for remote attackers to bypass the CSRF protection mechanism via a brute force attack.
References