Cross-Site Request Forgery Vulnerability in Jenkins Alauda DevOps Pipeline Plugin
CVE-2019-16573

8.8HIGH

Key Information:

Vendor: Jenkins
Status: Jenkins Alauda Devops Pipeline Plugin
Vendor: CVE Published:; 17 December 2019

Summary

A cross-site request forgery vulnerability in the Alauda DevOps Pipeline Plugin for Jenkins allows attackers to send unauthorized requests to the Jenkins server. By utilizing attacker-specified credentials IDs, an attacker can forge requests to connect to any URL, potentially exposing sensitive stored credentials within Jenkins. This vulnerability poses significant security risks for users managing sensitive data and may allow unauthorized access to confidential environments.

Affected Version(s)

Jenkins Alauda DevOps Pipeline Plugin <= 2.3.2

References

https://jenkins.io/security/advisory/2019-12-17/#SECURITY...

x_refsource_CONFIRM

http://www.openwall.com/lists/oss-security/2019/12/17/1

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Dec 17, 2019
Vulnerability Reserved
Sep 20, 2019