logo

Database

Cross-site request forgery In org.jenkins-ci.plugins:gitlab-oauth

Description

CSRF vulnerability in GitLab Authentication Plugin GitLab Authentication Plugin 1.17.1 and earlier does not implement a state parameter in its OAuth flow, a unique and non-guessable value associated with each authentication request.

This vulnerability allows attackers to trick users into logging in to the attacker’s account.

GitLab Authentication Plugin 1.18 implements a state parameter in its OAuth flow.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2023-391532. NVD-2023-391533. OSV-2023-391534. GCVE-2023-39153

References

1. https://github.com/jenkinsci/gitlab-oauth-plugin/commit/d5bdf767e6be2efa2e9d8f8cf99b98726bb5f29d2. https://github.com/jenkinsci/gitlab-oauth-plugin3. https://www.jenkins.io/security/advisory/2023-07-26/#SECURITY-26964. http://www.openwall.com/lists/oss-security/2023/07/26/2

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.