8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-10301

GHSA ID

GHSA-923w-9p3x-hmgw

EPSS Score

0.21054%

CWE

CWE-862

Published

5/24/2022

Updated

12/13/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-10301

CVE-2019-10301: Jenkins GitLab Plugin missing permission checks

Jenkins GitLab Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method did not require POST requests, resulting in a cross-site request forgery vulnerability.

This form validation method now requires POST requests and Overall/Administer permissions.

(GitHub Advisory)

8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-10301

GHSA ID

GHSA-923w-9p3x-hmgw

EPSS Score

0.21054%

CWE

CWE-862

Published

5/24/2022

Updated

12/13/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:gitlab-plugin	maven	<= 1.5.11	1.5.12

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability documentation explicitly references a missing permission check in GitLabConnectionConfig#doTestConnection. The commit diff shows this method was modified to add @RequirePOST and ADMINISTER permission checks, confirming it was the vulnerable entry point. The method's purpose (testing connections with arbitrary credentials/URLs) aligns perfectly with the described attack vector.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins *itL** Plu*in *i* not p*r*orm p*rmission ****ks on * m*t*o* impl*m*ntin* *orm v*li**tion. T*is *llow** us*rs wit* Ov*r*ll/R*** ****ss to J*nkins to *onn**t to *n *tt**k*r-sp**i*i** URL usin* *tt**k*r-sp**i*i** *r***nti*ls I*s o*t*in** t*rou**

Reasoning

T** vuln*r**ility *o*um*nt*tion *xpli*itly r***r*n**s * missin* p*rmission ****k in `*itL***onn**tion*on*i*#*oT*st*onn**tion`. T** *ommit *i** s*ows t*is m*t*o* w*s mo*i*i** to *** @R*quir*POST *n* **MINIST*R p*rmission ****ks, *on*irmin* it w*s t**

8.8

Basic Information

Concerned about an active attack path?

CVE-2019-10301: Jenkins GitLab Plugin missing permission checks

8.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI