PT-2019-11717 · Jenkins · Jenkins Gitlab Authentication Plugin+1

Taka_1690

Publicado

2019-04-30

Atualizado

2023-10-25

CVE-2019-10315

CVSS v2.0

6.8

Média

Vetor

AV:N/AC:M/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions Jenkins GitHub Authentication Plugin versions 0.31 and earlier

Description The issue concerns the management of the state parameter of OAuth to prevent CSRF. An attacker could catch the redirect URL provided during the authentication process using OAuth and send it to the victim. If the victim was already connected to Jenkins, their Jenkins account would be attached to the attacker’s GitHub account.

Recommendations For Jenkins GitHub Authentication Plugin versions 0.31 and earlier, update to a version that correctly manages the state parameter of OAuth to prevent CSRF. As a temporary workaround, consider restricting the use of OAuth authentication until a patch is available.

Correção

CSRF

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-352

Identificadores relacionados

CVE-2019-10315

GHSA-PHWV-CRGP-9R69

Produtos afetados

Jenkins

Jenkins Gitlab Authentication Plugin

PT-2019-11717 · Jenkins · Jenkins Gitlab Authentication Plugin+1

CVE-2019-10315

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 7