Cross-site Request Forgery (CSRF) Affecting org.jenkins-ci.plugins:gitlab-plugin package, versions [,1.5.12)
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGJENKINSCIPLUGINS-174458
- published 18 Apr 2019
- disclosed 18 Apr 2019
- credit Peter Adkins of Cisco Umbrella
Introduced: 18 Apr 2019
CVE-2019-10300 Open this link in a new tabHow to fix?
Upgrade org.jenkins-ci.plugins:gitlab-plugin to version 1.5.12 or higher.
Overview
org.jenkins-ci.plugins:gitlab-plugin allows GitLab to trigger builds in Jenkins when code is committed or merge requests are opened / updated. It can also send build status back to GitLab.
Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) due to lack of permission checks on the form validation. A malicious user with Overall/Read access could connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. Additionally, this form validation method did not require POST requests. This validation process now requires POST requests and Overall/Administer permissions.
NOTE: This vulnerability has also been identified as: CVE-2019-10301