Primary

Context

Jenkins Cross-Site Request Forgery Vulnerability in Login Form

Vulnerability

Patched

A cross-site request forgery (CSRF) vulnerability exists in Jenkins versions through 2.540 and LTS versions through 2.528.2. This vulnerability allows attackers to trick users into logging into the attacker's account by exploiting the absence of a CSRF token requirement for interactive login requests.

Impact

Exploitation of this vulnerability allows for cross-site request forgery, enabling attackers to impersonate users by logging into their accounts.

Remediation

Users can update to Jenkins version 2.541 or LTS version 2.528.3, both of which address this vulnerability. In case of issues, the CSRF protection can be disabled by setting the system property 'hudson.security.AuthenticationProcessingFilter2.skipCSRFCheck' to 'true'.

Added: Dec 10, 2025, 5:20 PM

Updated: Dec 10, 2025, 6:22 PM

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

1.3

exploitability

6.0

remediation

8.3

relevance

1.4

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

1.3

exploitability

6.0

remediation

8.3

relevance

1.4

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Jenkins Cross-Site Request Forgery Vulnerability in Login Form

Vulnerability

Impact

Remediation

Affected Products

Jenkins

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating