[JENKINS:SECURITY-443] CSRF vulnerability in OAuth callback in `github-oauth`
Severity
Medium
Affected Packages
2
Fixed Packages
2
CVEs
1
github-oauth
did not manage the state parameter of OAuth to prevent CSRF.
This allowed an attacker to catch the redirect URL provided during the authentication process using OAuth and send it to the victim.
If the victim was already connected to Jenkins, their Jenkins account would be attached to the attacker's GitHub account.
The state parameter is now correctly managed.
Package | Affected Version |
---|---|
pkg:maven/org.jenkins-ci.plugins/github-oauth | <= 0.31 |
pkg:github/jenkinsci/github-oauth-plugin | <= 0.31 |
Package | Fixed Version |
---|---|
pkg:maven/org.jenkins-ci.plugins/github-oauth | = 0.32 |
pkg:github/jenkinsci/github-oauth-plugin | = 0.32 |
- ID
- JENKINS:SECURITY-443
- Severity
- medium
- Published
-
2019-04-30T00:00:00
(5 years ago) - Modified
-
2019-04-30T00:00:00
(5 years ago) - Rights
- Jenkins Security Team
- Other Advisories
Source | # ID | Name | URL |
---|---|---|---|
Plugin repository | github-oauth repository | https://github.com/jenkinsci/github-oauth-plugin |
Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
---|---|---|---|---|---|---|---|
Affected | pkg:maven/org.jenkins-ci.plugins/github-oauth | org.jenkins-ci.plugins | github-oauth | <= 0.31 | |||
Fixed | pkg:maven/org.jenkins-ci.plugins/github-oauth | org.jenkins-ci.plugins | github-oauth | = 0.32 | |||
Affected | pkg:github/jenkinsci/github-oauth-plugin | jenkinsci | github-oauth-plugin | <= 0.31 | |||
Fixed | pkg:github/jenkinsci/github-oauth-plugin | jenkinsci | github-oauth-plugin | = 0.32 |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |