Allele Security Alert
ASA-2019-00602
Identifier(s)
ASA-2019-00602, CVE-2019-10462, SECURITY-1483 (1)
Title
Cross-Site Request Forgery
Vendor(s)
Dynatrace Development Team
Dariusz Glugla
Piotr Lugowsk
Product(s)
Jenkins Dynatrace Application Monitoring Plugin
Affected version(s)
Jenkins Dynatrace Application Monitoring Plugin versions before 2.1.4
Fixed version(s)
Jenkins Dynatrace Application Monitoring Plugin version 2.1.4
Proof of concept
Unknown
Description
Dynatrace Application Monitoring Plugin did not require POST requests on a method implementing form validation. This CSRF vulnerability allowed attackers to initiate a connection test to an attacker-specified server with attacker-specified username and password.
Technical details
Unknown
Credits
Viktor Gazdag (NCC Group)
Reference(s)
Jenkins Security Advisory 2019-10-23
https://jenkins.io/security/advisory/2019-10-23/#SECURITY-1483 (1)
Jenkins security advisory
https://groups.google.com/d/msg/jenkinsci-advisories/KCv6eDsiV3Y/GNr0aDC3AQAJ
oss-security – Multiple vulnerabilities in Jenkins plugins
https://www.openwall.com/lists/oss-security/2019/10/23/2
Dynatrace Application Monitoring
https://plugins.jenkins.io/dynatrace-dashboard
Bugfix/august2019 #18
https://github.com/jenkinsci/dynatrace-plugin/pull/18
Bugfix/august2019 (#18)
https://github.com/jenkinsci/dynatrace-plugin/commit/373adaa1161d59ccd4e5e3469a9b6aeec17968ae
Bugfix/august2019 #18
https://github.com/jenkinsci/dynatrace-plugin/pull/18/commits/f61c3bf946deb208b6b8ac497ac3879cec6c5aa0
CVE-2019-10462
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10462
CVE-2019-10462
https://nvd.nist.gov/vuln/detail/CVE-2019-10462
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: November 4, 2019