CVE-2019-1003010

MEDIUM

Jenkins Git Plugin <3.9.1 - CSRF

Title source: llm

Description

A cross-site request forgery vulnerability exists in Jenkins Git Plugin 3.9.1 and earlier in src/main/java/hudson/plugins/git/GitTagAction.java that allows attackers to create a Git tag in a workspace and attach corresponding metadata to a build record.

Exploits (2)

nomisec WRITEUP

by dawetmaster · poc

https://github.com/dawetmaster/CVE-2019-1003010-Prasanna-vulnerable

View Code ZIP pw:eip

nomisec WRITEUP

by andikahilmy · poc

https://github.com/andikahilmy/CVE-2019-1003010-Prasanna-vulnerable

View Code ZIP pw:eip

References (3)

[Third Party Advisory] https://access.redhat.com/errata/RHBA-2019:0326

[Third Party Advisory] https://access.redhat.com/errata/RHBA-2019:0327

[Vendor Advisory] https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1095

Scores

CVSS v3 4.3

EPSS 0.0065

EPSS Percentile 70.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Details

CWE

CWE-352

Status published

Products (3)

jenkins/git < 3.9.1

org.jenkins-ci.plugins/git 0 - 3.9.2Maven

redhat/openshift_container_platform 3.11

Published Feb 06, 2019

Tracked Since Feb 18, 2026