CVE-2019-10315

描述

Jenkins GitHub Authentication Plugin did not manage the state parameter of OAuth to prevent CSRF. This allowed an attacker to catch the redirect URL provided during the authentication process using OAuth and send it to the victim. If the victim was already connected to Jenkins, their Jenkins account would be attached to the attacker’s GitHub account. The state parameter is now correctly managed.

受影響套件(1)

• Maven/org.jenkins-ci.plugins:github-oauthfrom 0, < 0.32

CVSS 分數

參考連結(4)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-10315
• WEBhttps://jenkins.io/security/advisory/2019-04-30/#SECURITY-443
• WEBhttps://web.archive.org/web/20200227073756/http://www.securityfocus.com/bid/108159
• WEBhttp://www.openwall.com/lists/oss-security/2019/04/30/5