CVE-2019-10324
published 2019-05-31CVE-2019-10324: A cross-site request forgery vulnerability in Jenkins Artifactory Plugin 3.2.2 and earlier in ReleaseAction#doSubmit, GradleReleaseApiAction#doStaging…
PriorityP427medium6.5CVSS 3.0
AVNACLPRNUIRSUCNIHAN
EPSS
0.75%
50.4th percentile
A cross-site request forgery vulnerability in Jenkins Artifactory Plugin 3.2.2 and earlier in ReleaseAction#doSubmit, GradleReleaseApiAction#doStaging, MavenReleaseApiAction#doStaging, and UnifiedPromoteBuildAction#doSubmit allowed attackers to schedule a release build, perform release staging for Gradle and Maven projects, and promote previously staged builds, respectively.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | artifactory_plugin | — | — |
| jenkins | gitea_plugin | — | — |
| jenkins | ids_to_allow_users_configuring_the_plugin | — | — |
| jenkins | improper_handling_of_untrusted_branches_in_gitea_plugin | — | — |
| jenkins | influxdb_plugin | — | — |
| jenkins | pipeline_maven_integration_plugin | — | — |
| jenkins | pipeline_remote_loader_plugin | — | — |
| jenkins | warnings_plugin | — | — |
| jenkins_project | jenkins_artifactory_plugin | — | — |
| jfrog | artifactory | <= 3.2.2 | — |
CVSS provenance
nvdv3.06.5MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Cross-site request forgery vulnerability in Jenkins Artifactory Plugin
osv·2022-05-24
CVE-2019-10324 [MEDIUM] Cross-site request forgery vulnerability in Jenkins Artifactory Plugin
Cross-site request forgery vulnerability in Jenkins Artifactory Plugin
A cross-site request forgery vulnerability in Jenkins Artifactory Plugin 3.2.2 and earlier in ReleaseAction#doSubmit, GradleReleaseApiAction#doStaging, MavenReleaseApiAction#doStaging, and UnifiedPromoteBuildAction#doSubmit allowed attackers to schedule a release build, perform release staging for Gradle and Maven projects, and promote previously staged builds, respectively.
GHSA
Cross-site request forgery vulnerability in Jenkins Artifactory Plugin
ghsa·2022-05-24
CVE-2019-10324 [MEDIUM] CWE-352 Cross-site request forgery vulnerability in Jenkins Artifactory Plugin
Cross-site request forgery vulnerability in Jenkins Artifactory Plugin
A cross-site request forgery vulnerability in Jenkins Artifactory Plugin 3.2.2 and earlier in ReleaseAction#doSubmit, GradleReleaseApiAction#doStaging, MavenReleaseApiAction#doStaging, and UnifiedPromoteBuildAction#doSubmit allowed attackers to schedule a release build, perform release staging for Gradle and Maven projects, and promote previously staged builds, respectively.
Jenkins
Jenkins Security Advisory 2019-05-31
vendor_jenkins·2019-05-31·CVSS 5.4
CVE-2019-10321 [MEDIUM] Jenkins Security Advisory 2019-05-31
Title: Jenkins Security Advisory 2019-05-31
Jenkins Security Advisory 2019-05-31
Jenkins Security Home
For Administrators
Overview
Terminology
Vulnerabilities and Scoring
Security Advisories
Security Issues
Advisory Schedule
Vulnerabilities in Plugins
How We Fix Security Issues
For Reporters
Reporting Vulnerabilities
Jenkins CNA
For Maintainers
Overview
Vulnerabilities in Plugins
Jenkins Security Team
About
Contributions
This advisory announces vulnerabilities in the following Jenkins deliverables:
Artifactory
Plugin
Gitea
Plugin
InfluxDB
Plugin
Pipeline Maven Integration
Plugin
Pipeline Remote Loader
Plugin
Warnings
Plugin
Descriptions
Persisted XSS vulnerabili
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://www.openwall.com/lists/oss-security/2019/05/31/2http://www.securityfocus.com/bid/108540https://jenkins.io/security/advisory/2019-05-31/#SECURITY-1347http://www.openwall.com/lists/oss-security/2019/05/31/2http://www.securityfocus.com/bid/108540https://jenkins.io/security/advisory/2019-05-31/#SECURITY-1347
2019-05-31
Published