logo

Database

Cross-site request forgery In org.jenkins-ci.plugins:gitlab-plugin

Description

Jenkins GitLab Plugin Cross-Site Request Forgery vulnerability Jenkins GitLab Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method did not require POST requests, resulting in a cross-site request forgery vulnerability.

This form validation method now requires POST requests and Overall/Administer permissions.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2019-103002. NVD-2019-103003. OSV-2019-103004. GCVE-2019-10300

References

1. https://github.com/jenkinsci/gitlab-plugin/commit/f028c65539a8892f2d1f738cacc1ea5830adf5d32. https://jenkins.io/security/advisory/2019-04-17/#SECURITY-13573. https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0788

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.