GHSA-phwv-crgp-9r69

Source

https://github.com/advisories/GHSA-phwv-crgp-9r69

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-phwv-crgp-9r69/GHSA-phwv-crgp-9r69.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-phwv-crgp-9r69

Aliases

CVE-2019-10315

Published

2022-05-24T16:44:55Z

Modified

2024-02-16T08:02:03.731424Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVSS Calculator

Summary

Jenkins GitHub Authentication Plugin Cross-Site Request Forgery vulnerability

Details

Jenkins GitHub Authentication Plugin did not manage the state parameter of OAuth to prevent CSRF. This allowed an attacker to catch the redirect URL provided during the authentication process using OAuth and send it to the victim. If the victim was already connected to Jenkins, their Jenkins account would be attached to the attacker’s GitHub account.

The state parameter is now correctly managed.

Database specific

{
    "nvd_published_at": "2019-04-30T13:29:00Z",
    "cwe_ids": [
        "CWE-352"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-26T21:51:58Z"
}

References

Affected packages

Maven / org.jenkins-ci.plugins:github-oauth

Package

Name: org.jenkins-ci.plugins:github-oauth; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins/github-oauth

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.32

Affected versions

-rc586.*

-rc586.88708ce878fc

0.*

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.8.1

0.9

0.10

0.11

0.12

0.13

0.13.1

0.14

0.16

0.17

0.18

0.19

0.20

0.21

0.21.1

0.21.2

0.22

0.22.1

0.22.2

0.22.3

0.23

0.24

0.25

0.26

0.27

0.28.1

0.29

0.31

Database specific

{
    "last_known_affected_version_range": "<= 0.31"
}