CVE-2019-10315 – org.jenkins-ci.plugins:github-oauth

Package

Manager: maven
Name: org.jenkins-ci.plugins:github-oauth
Vulnerable Version: >=0 <0.32

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00113 pctl0.30567

Details

Jenkins GitHub Authentication Plugin Cross-Site Request Forgery vulnerability Jenkins GitHub Authentication Plugin did not manage the state parameter of OAuth to prevent CSRF. This allowed an attacker to catch the redirect URL provided during the authentication process using OAuth and send it to the victim. If the victim was already connected to Jenkins, their Jenkins account would be attached to the attacker’s GitHub account. The state parameter is now correctly managed.

Metadata

Created: 2022-05-24T16:44:55Z
Modified: 2023-10-26T21:51:58Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-phwv-crgp-9r69/GHSA-phwv-crgp-9r69.json
CWE IDs: ["CWE-352"]
Alternative ID: GHSA-phwv-crgp-9r69
Finding: F007
Auto approve: 1