PT-2019-11702 · Jenkins · Jenkins Git Plugin+1

Peter Adkins

·

Publicado

2019-04-18

·

Atualizado

2023-10-25

·

CVE-2019-10300

CVSS v3.1

8.0

Alta

VetorAV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Jenkins GitLab Plugin versions 1.5.11 and earlier
Description A cross-site request forgery issue exists due to insufficient permission checks and form validation in the GitLabConnectionConfig#doTestConnection method. This allows attackers to connect to a specified URL using specified credentials IDs, potentially capturing stored credentials in Jenkins. The issue is exacerbated by the lack of requirement for POST requests, making it vulnerable to cross-site request forgery attacks.
Recommendations For Jenkins GitLab Plugin versions 1.5.11 and earlier, update the plugin to a version that requires POST requests and Overall/Administer permissions for the form validation method to mitigate the issue.

Correção

CSRF

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-352

Identificadores relacionados

CVE-2019-10300
GHSA-J365-62PX-VJJV

Produtos afetados

Jenkins
Jenkins Git Plugin