Cross-Site Request Forgery Vulnerability in Jenkins XL TestView Plugin
CVE-2019-10386

8.8HIGH

Key Information:

Vendor: Jenkins
Status: Jenkins Xl Testview Plugin
Vendor: CVE Published:; 7 August 2019

What is CVE-2019-10386?

A vulnerability in the Jenkins XL TestView Plugin allows users with Overall/Read access to leverage cross-site request forgery to connect to a target URL specified by an attacker. The exploitation can be achieved using attacker-specified credentials IDs that may be obtained through other methods, thus potentially exposing stored Jenkins credentials. This vulnerability can lead to unauthorized access and manipulation of sensitive information within Jenkins.

Affected Version(s)

Jenkins XL TestView Plugin 1.2.0 and earlier

References

http://www.openwall.com/lists/oss-security/2019/08/07/1

mailing-listx_refsource_MLIST

https://jenkins.io/security/advisory/2019-08-07/#SECURITY...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 7, 2019
Vulnerability Reserved
Mar 29, 2019