CVE-2019-10315

MEDIUM4.3EPSS 0.10%

Jenkins GitHub Authentication Plugin Cross-Site Request Forgery vulnerability

Published: 5/24/2022Modified: 2/16/2024

Description

Jenkins GitHub Authentication Plugin did not manage the state parameter of OAuth to prevent CSRF. This allowed an attacker to catch the redirect URL provided during the authentication process using OAuth and send it to the victim. If the victim was already connected to Jenkins, their Jenkins account would be attached to the attacker’s GitHub account. The state parameter is now correctly managed.

Affected packages (1)

Maven/org.jenkins-ci.plugins:github-oauthfrom 0, < 0.32

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-10315
WEBhttps://jenkins.io/security/advisory/2019-04-30/#SECURITY-443
WEBhttps://web.archive.org/web/20200227073756/http://www.securityfocus.com/bid/108159
WEBhttp://www.openwall.com/lists/oss-security/2019/04/30/5