Cross-Site Request Forgery in Jenkins OpenShift Deployer Plugin
CVE-2019-1003080

6.5MEDIUM

Key Information:

Vendor
Jenkins
Status
Jenkins Openshift Deployer Plugin
Vendor
CVE Published:
4 April 2019

Summary

The Jenkins OpenShift Deployer Plugin is vulnerable to a cross-site request forgery (CSRF) flaw. This vulnerability arises from improper validation in the DeployApplicationDescriptor#doCheckLogin method, allowing attackers to initiate server connections to locations specified by them. Exploiting this vulnerability could enable unauthorized actions to be performed on behalf of an authenticated user without their consent.

Affected Version(s)

Jenkins OpenShift Deployer Plugin all versions as of 2019-04-03

References

http://www.securityfocus.com/bid/107790
vdb-entryx_refsource_BID
http://www.openwall.com/lists/oss-security/2019/04/12/2
mailing-listx_refsource_MLIST
https://jenkins.io/security/advisory/2019-04-03/#SECURITY...
x_refsource_CONFIRM

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.