Allele Security Alert
ASA-2019-00093
Identifier(s)
ASA-2019-00093, SECURITY-1095, CVE-2019-1003010
Title
Cross-Site Request Forgery (CSRF) vulnerability in Git Plugin
Vendor(s)
CloudBees, Inc
Product(s)
Jenkins
Affected version(s)
Git Plugin up to and including 3.9.1
Fixed version(s)
Git Plugin version 3.9.2
Proof of concept
Unknown
Description
Git Plugin allows the creation of a tag in a job workspace’s Git repository with accompanying metadata attached to a build record.
The HTTP endpoint to create the tag did not require POST requests, resulting in a CSRF vulnerability.
The HTTP endpoint to create the tag now requires that requests are sent via POST.
Technical details
Unknown
Credits
Oleg Nenashev
Reference(s)
Jenkins Security Advisory 2019-01-28
https://jenkins.io/security/advisory/2019-01-28
Jenkins Plugin
https://plugins.jenkins.io/git
CVE-2019-1003010
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1003010
CVE-2019-1003010
https://nvd.nist.gov/vuln/detail/CVE-2019-1003010
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 24, 2019