Allele Security Alert
ASA-2019-00093, SECURITY-1095, CVE-2019-1003010
Cross-Site Request Forgery (CSRF) vulnerability in Git Plugin
Git Plugin up to and including 3.9.1
Git Plugin version 3.9.2
Proof of concept
Git Plugin allows the creation of a tag in a job workspace’s Git repository with accompanying metadata attached to a build record.
The HTTP endpoint to create the tag did not require POST requests, resulting in a CSRF vulnerability.
The HTTP endpoint to create the tag now requires that requests are sent via POST.
Jenkins Security Advisory 2019-01-28
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 24, 2019