logo

Database

Improper authorization control for web services In org.jenkins-ci.plugins:gitlab-plugin

Description

Jenkins GitLab Plugin missing permission checks Jenkins GitLab Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method did not require POST requests, resulting in a cross-site request forgery vulnerability.

This form validation method now requires POST requests and Overall/Administer permissions.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2019-103012. NVD-2019-103013. OSV-2019-103014. GCVE-2019-10301

References

1. https://github.com/jenkinsci/gitlab-plugin/commit/f028c65539a8892f2d1f738cacc1ea5830adf5d32. https://jenkins.io/security/advisory/2019-04-17/#SECURITY-13573. https://web.archive.org/web/20200227075952/http://www.securityfocus.com/bid/108045

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.

FLAT-I7EK0 – Vulnerability | Fluid Attacks Database