CVE-2019-10315 — Jenkins GitHub Authentication Plugin Cross-Site Request Forgery vulnerability

Description

Jenkins GitHub Authentication Plugin did not manage the state parameter of OAuth to prevent CSRF. This allowed an attacker to catch the redirect URL provided during the authentication process using OAuth and send it to the victim. If the victim was already connected to Jenkins, their Jenkins account would be attached to the attacker’s GitHub account. The state parameter is now correctly managed.

How to fix CVE-2019-10315

To remediate CVE-2019-10315, upgrade the affected package to a fixed version below.

—upgrade to 0.32 or later

Is CVE-2019-10315 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 0.32

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-10315
WEBjenkins.io/security/advisory/2019-04-30/#SECURITY-443
WEBweb.archive.org/web/20200227073756/http://www.securityfocus.com/bid/108159
WEBwww.openwall.com/lists/oss-security/2019/04/30/5