CVE-2019-10330 — Improper handling of untrusted branches in Gitea Jenkins Plugin

Description

Jenkins Gitea Plugin prior to 1.1.2 did not implement trusted revisions, allowing attackers without commit access to the Git repo to change Jenkinsfiles even if Jenkins is configured to consider them to be untrusted.

How to fix CVE-2019-10330

To remediate CVE-2019-10330, upgrade the affected package to a fixed version below.

—upgrade to 1.1.2 or later

Is CVE-2019-10330 being exploited?

Low — EPSS is 0.8%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.1.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-10330
WEBgithub.com/jenkinsci/gitea-plugin/commit/7555cb7c168cfa49d31271e7d65d76c1fab311f7
WEBjenkins.io/security/advisory/2019-05-31/#SECURITY-1046
WEBwww.openwall.com/lists/oss-security/2019/05/31/2