CVE-2019-10437

CWE-352 — Cross-Site Request Forgery (CSRF)5 documents5 sources

Severity

8.8HIGH

EPSS

0.1%

top 74.05%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins CRX Content Package Deployer Jenkins Project Jenkins CRX Content Package Deployer Plugin

Timeline

PublishedOct 16

Latest updateMay 24

Description

A cross-site request forgery vulnerability in Jenkins CRX Content Package Deployer Plugin 1.8.1 and earlier allowed attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶Mavenorg.jenkins-ci.plugins:crx-content-package-deployer< 1.9

▶CVEListV5jenkins_project/jenkins_crx_content_package_deployer_plugin1.8.1 and earlier

▶NVDjenkins/crx_content_package_deployer1.8.1

🔴Vulnerability Details

OSV

Jenkins CRX Content Package Deployer Plugin subject to Cross-Site Request Forgery↗2022-05-24

▶

GHSA

Jenkins CRX Content Package Deployer Plugin subject to Cross-Site Request Forgery↗2022-05-24

▶

CVEList

CVE-2019-10437: A cross-site request forgery vulnerability in Jenkins CRX Content Package Deployer Plugin 1↗2019-10-16

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2019-10-16↗2019-10-16

▶