Cross-Site Request Forgery in Jenkins GitLab Branch Source Plugin
CVE-2024-23902

4.3MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Gitlab Branch Source Plugin
Vendor: CVE Published:; 24 January 2024

What is CVE-2024-23902?

A security flaw has been identified in the GitLab Branch Source Plugin for Jenkins, where a cross-site request forgery (CSRF) can allow attackers to redirect users to a malicious URL of their choice. This vulnerability opens the door for unauthorized actions under the context of a victim user, potentially leading to malicious exploitation. Users are urged to assess their systems for the affected versions and apply the necessary security patches as recommended by the Jenkins security advisory.

Affected Version(s)

Jenkins GitLab Branch Source Plugin 0 <= 684.vea_fa_7c1e2fe3

References

https://www.jenkins.io/security/advisory/2024-01-24/#SECU...

vendor-advisory

http://www.openwall.com/lists/oss-security/2024/01/24/6

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 24, 2024
Vulnerability Reserved
Jan 23, 2024