Cross-Site Request Forgery Vulnerability in Jenkins XebiaLabs XL Deploy Plugin
CVE-2019-10304

6.5MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Xebialabs Xl Deploy Plugin
Vendor: CVE Published:; 18 April 2019

What is CVE-2019-10304?

A cross-site request forgery vulnerability exists in the Jenkins XebiaLabs XL Deploy Plugin, specifically in the Credential#doValidateUserNamePassword method. This flaw allows attackers to forge a request that can initiate connections to an arbitrary server defined by the attacker, potentially compromising sensitive user credentials and other system resources.

Affected Version(s)

Jenkins XebiaLabs XL Deploy Plugin all versions as of 2019-04-17

References

http://www.securityfocus.com/bid/108045

vdb-entryx_refsource_BID

https://jenkins.io/security/advisory/2019-04-17/#SECURITY...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 18, 2019
Vulnerability Reserved
Mar 29, 2019