CVE-2019-1003010

A cross-site request forgery vulnerability exists in Jenkins Git Plugin 3.9.1 and earlier in src/main/java/hudson/plugins/git/GitTagAction.java that allows attackers to create a Git tag in a workspace and attach corresponding metadata to a build record.

Published: Feb 6, 2019
Updated: May 9, 2024
CVE: CVE-2019-1003010
GHSA: GHSA-r8rw-xx57-m64q
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 4.3
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

CWEs:

CWE-352

Affected Software
References

Software	From	Fixed in
jenkins / git	-	3.9.1.x
redhat / openshift_container_platform	3.11	3.11.x
org.jenkins-ci.plugins / git	-	3.9.2

https://access.redhat.com/errata/RHBA-2019:0326
https://access.redhat.com/errata/RHBA-2019:0327
https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1095

Vulnerability Database

289,599

CVE-2019-1003010