PT-2019-11717 · Jenkins · Jenkins Gitlab Authentication Plugin+1
Taka_1690
+1
·
Published
2019-04-30
·
Updated
2023-10-25
·
CVE-2019-10315
CVSS v2.0
6.8
Medium
| Vector | AV:N/AC:M/Au:N/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
Jenkins GitHub Authentication Plugin versions 0.31 and earlier
Description
The issue concerns the management of the state parameter of OAuth to prevent CSRF. An attacker could catch the redirect URL provided during the authentication process using OAuth and send it to the victim. If the victim was already connected to Jenkins, their Jenkins account would be attached to the attacker’s GitHub account.
Recommendations
For Jenkins GitHub Authentication Plugin versions 0.31 and earlier, update to a version that correctly manages the state parameter of OAuth to prevent CSRF. As a temporary workaround, consider restricting the use of OAuth authentication until a patch is available.
Fix
CSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Gitlab Authentication Plugin