8

CVSS Score

3.0

Basic Information

CVE ID

CVE-2019-10300

GHSA ID

GHSA-j365-62px-vjjv

EPSS Score

0.26458%

CWE

CWE-352

Published

5/24/2022

Updated

12/13/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-10300

CVE-2019-10300: Jenkins GitLab Plugin Cross-Site Request Forgery vulnerability

Jenkins GitLab Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method did not require POST requests, resulting in a cross-site request forgery vulnerability.

This form validation method now requires POST requests and Overall/Administer permissions.

(GitHub Advisory)

8

CVSS Score

3.0

Basic Information

CVE ID

CVE-2019-10300

GHSA ID

GHSA-j365-62px-vjjv

EPSS Score

0.26458%

CWE

CWE-352

Published

5/24/2022

Updated

12/13/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:gitlab-plugin	maven	<= 1.5.11	1.5.12

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability documentation explicitly identifies the 'doTestConnection' method in GitLabConnectionConfig as the flawed form validation endpoint. The commit diff shows this method was modified to add @RequirePOST and ADMINISTER permission checks, confirming it was the attack vector. The method's pre-patch behavior matches the described vulnerability mechanics (CSRF via GET, insufficient permissions).

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins *itL** Plu*in *i* not p*r*orm p*rmission ****ks on * m*t*o* impl*m*ntin* *orm v*li**tion. T*is *llow** us*rs wit* Ov*r*ll/R*** ****ss to J*nkins to *onn**t to *n *tt**k*r-sp**i*i** URL usin* *tt**k*r-sp**i*i** *r***nti*ls I*s o*t*in** t*rou**

Reasoning

T** vuln*r**ility *o*um*nt*tion *xpli*itly i**nti*i*s t** '*oT*st*onn**tion' m*t*o* in `*itL***onn**tion*on*i*` *s t** *l*w** *orm v*li**tion *n*point. T** *ommit *i** s*ows t*is m*t*o* w*s mo*i*i** to *** @R*quir*POST *n* **MINIST*R p*rmission ****k

8

Basic Information

Concerned about an active attack path?

CVE-2019-10300: Jenkins GitLab Plugin Cross-Site Request Forgery vulnerability

8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI