High severityNVD Advisory· Published Apr 18, 2019· Updated Aug 4, 2024

CVE-2019-10300

Description

A cross-site request forgery vulnerability in Jenkins GitLab Plugin 1.5.11 and earlier in the GitLabConnectionConfig#doTestConnection form validation method allowed attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A CSRF vulnerability in Jenkins GitLab Plugin 1.5.11 and earlier lets attackers capture credentials by tricking users into connecting to an attacker-specified URL.

Vulnerability

Description

CVE-2019-10300 is a cross-site request forgery (CSRF) vulnerability in the Jenkins GitLab Plugin, up to version 1.5.11. The bug resides in the doTestConnection method of GitLabConnectionConfig, which performs form validation for testing connections to GitLab instances. This method did not require POST requests, nor did it check for proper permissions, making it susceptible to CSRF attacks [1][2].

Exploitation

Details

An attacker with knowledge of a valid credentials ID (obtainable via build logs, credential manager read access, or another vulnerable plugin) can craft a malicious HTTP GET request to the doTestConnection endpoint. The request includes an attacker-specified URL and the credentials ID. If a legitimate user with higher privileges (e.g., an administrator) is tricked into clicking a crafted link or visiting a malicious site, the plugin will execute the request with the user's session. It then attempts to connect to the attacker-controlled server using the specified credential, which is transmitted in the HTTP PRIVATE-TOKEN header, thereby capturing the credential [3].

Impact

A successful exploit allows an attacker to capture credentials stored in Jenkins. The vulnerability is rated Medium severity (CVSS 3.0 base score 7.7) and requires the attacker to be authenticated with at least Overall/Read permissions, though an anonymous user could exploit it if anonymous read access is enabled [2][3].

Mitigation

The Jenkins GitLab Plugin fixed this issue in version 1.5.12 by requiring POST requests (via @RequirePOST) and adding a permission check for Overall/Administer (via checkPermission(Jenkins.ADMINISTER)) [2][4]. Users should upgrade to the latest version and ensure that anonymous read access is disabled unless necessary.

References

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.plugins:gitlab-pluginMaven	< 1.5.12	1.5.12

Affected products

Jenkins Project/GitLab Pluginllm-fuzzy
Range: <=1.5.11
ghsa-coords
pkg:maven/org.jenkins-ci.plugins/gitlab-plugin
Range: < 1.5.12
Jenkins Project/Gitlab Hook Plugincpe-rescue
Range: 1.5.11 and earlier

Patches

f028c65539a8

[SECURITY-1357]

https://github.com/jenkinsci/gitlab-pluginOwen MeheganApr 17, 2019via ghsa

commit

1 file changed · +6 −0

src/main/java/com/dabsquared/gitlabjenkins/connection/GitLabConnectionConfig.java+6 −0 modified

@@ -22,6 +22,9 @@
 import org.jenkinsci.plugins.plaincredentials.StringCredentials;
 import org.kohsuke.stapler.QueryParameter;
 import org.kohsuke.stapler.StaplerRequest;
+import org.kohsuke.stapler.interceptor.RequirePOST;
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.DoNotUse;
 
 import javax.ws.rs.ProcessingException;
 import javax.ws.rs.WebApplicationException;
@@ -131,12 +134,15 @@ public FormValidation doCheckReadTimeout(@QueryParameter Integer value) {
         }
     }
 
+    @RequirePOST
+    @Restricted(DoNotUse.class) // WebOnly
     public FormValidation doTestConnection(@QueryParameter String url,
                                            @QueryParameter String apiTokenId,
                                            @QueryParameter String clientBuilderId,
                                            @QueryParameter boolean ignoreCertificateErrors,
                                            @QueryParameter int connectionTimeout,
                                            @QueryParameter int readTimeout) {
+	Jenkins.getActiveInstance().checkPermission(Jenkins.ADMINISTER);
         try {
             new GitLabConnection("", url, apiTokenId, clientBuilderId, ignoreCertificateErrors, connectionTimeout, readTimeout).getClient().getCurrentUser();
             return FormValidation.ok(Messages.connection_success());

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-j365-62px-vjjvghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2019-10300ghsaADVISORY
www.securityfocus.com/bid/108045mitrevdb-entryx_refsource_BID
github.com/jenkinsci/gitlab-plugin/commit/f028c65539a8892f2d1f738cacc1ea5830adf5d3ghsaWEB
jenkins.io/security/advisory/2019-04-17/ghsax_refsource_CONFIRMWEB
www.talosintelligence.com/vulnerability_reports/TALOS-2019-0788ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000