Jenkins GitHub Authentication Plugin Cross-Site Request Forgery vulnerability
Moderate severity
GitHub Reviewed
Published
May 24, 2022
to the GitHub Advisory Database
•
Updated Oct 26, 2023
Description
Published by the National Vulnerability Database
Apr 30, 2019
Published to the GitHub Advisory Database
May 24, 2022
Reviewed
Oct 26, 2023
Last updated
Oct 26, 2023
Jenkins GitHub Authentication Plugin did not manage the state parameter of OAuth to prevent CSRF. This allowed an attacker to catch the redirect URL provided during the authentication process using OAuth and send it to the victim. If the victim was already connected to Jenkins, their Jenkins account would be attached to the attacker’s GitHub account.
The state parameter is now correctly managed.
References