ASA-2019-00093 – Jenkins: Cross-Site Request Forgery (CSRF) vulnerability in Git Plugin

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00093

Identifier(s)

ASA-2019-00093, SECURITY-1095, CVE-2019-1003010

Title

Cross-Site Request Forgery (CSRF) vulnerability in Git Plugin

Vendor(s)

CloudBees, Inc

Product(s)

Jenkins

Affected version(s)

Git Plugin up to and including 3.9.1

Fixed version(s)

Git Plugin version 3.9.2

Proof of concept

Unknown

Description

Git Plugin allows the creation of a tag in a job workspace’s Git repository with accompanying metadata attached to a build record.

The HTTP endpoint to create the tag did not require POST requests, resulting in a CSRF vulnerability.

The HTTP endpoint to create the tag now requires that requests are sent via POST.

Technical details

Unknown

Credits

Oleg Nenashev

Reference(s)

Jenkins Security Advisory 2019-01-28
https://jenkins.io/security/advisory/2019-01-28

Jenkins Plugin
https://plugins.jenkins.io/git

CVE-2019-1003010
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1003010

CVE-2019-1003010
https://nvd.nist.gov/vuln/detail/CVE-2019-1003010

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: February 24, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.