CVE-2019-10300

Name of the Vulnerable Software and Affected Versions Jenkins GitLab Plugin versions 1.5.11 and earlier

Description A cross-site request forgery issue exists due to insufficient permission checks and form validation in the GitLabConnectionConfig#doTestConnection method. This allows attackers to connect to a specified URL using specified credentials IDs, potentially capturing stored credentials in Jenkins. The issue is exacerbated by the lack of requirement for POST requests, making it vulnerable to cross-site request forgery attacks.

Recommendations For Jenkins GitLab Plugin versions 1.5.11 and earlier, update the plugin to a version that requires POST requests and Overall/Administer permissions for the form validation method to mitigate the issue.