Cross-site Request Forgery (CSRF)

Affecting com.xebialabs.xlt.ci:xltestview-plugin artifact, versions [0,]

Do your applications use this vulnerable package? Test your applications

Overview

com.xebialabs.xlt.ci:xltestview-plugin is a that integrates Jenkins with XebiaLabs XL TestView.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF). The plugin does not perform permission checks on a method implementing form validation that does not require POST requests. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Remediation

There is no fixed version for com.xebialabs.xlt.ci:xltestview-plugin.

References

CVSS Score

4.2
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    Low
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    None
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Credit
Oleg Nenashev
CVE
CVE-2019-10386 CVE-2019-10387
CWE
CWE-352
Snyk ID
SNYK-JAVA-COMXEBIALABSXLTCI-458752
Disclosed
07 Aug, 2019
Published
08 Aug, 2019