High severityNVD Advisory· Published Apr 18, 2019· Updated Aug 4, 2024

CVE-2019-10301

Description

A missing permission check in Jenkins GitLab Plugin 1.5.11 and earlier in the GitLabConnectionConfig#doTestConnection form validation method allowed attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Missing permission check in Jenkins GitLab Plugin allows attackers with Overall/Read to capture stored credentials via crafted test connection requests.

Vulnerability

CVE-2019-10301 is a missing permission check in the Jenkins GitLab Plugin (versions 1.5.11 and earlier). The GitLabConnectionConfig#doTestConnection form validation method did not verify that the user had the required Overall/Administer permission before executing [1][2]. This allowed any authenticated user with the default Overall/Read permission to trigger the method.

Exploitation

An attacker could exploit this by sending a request to the form validation endpoint with an attacker-specified URL and a credentials ID obtained through other means (e.g., another vulnerability or information disclosure) [2]. The method would then attempt to connect to the specified URL using those credentials, effectively exposing the stored credential token. Additionally, the method did not require a POST request, making it also vulnerable to cross-site request forgery (CVE-2019-10300) [2].

Impact

Successful exploitation allows an attacker to capture credentials stored in Jenkins by having the plugin connect to a server they control. The attacker must first have a valid credentials ID, but the overall impact is the exposure of potentially sensitive authentication tokens [1].

Mitigation

The fix, implemented in commit f028c65539 [4], adds the @RequirePOST annotation and a permission check for Jenkins.ADMINISTER, ensuring only administrators can invoke the method [4]. Users should upgrade to a patched version (1.5.12 or later) [2].

References

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.plugins:gitlab-pluginMaven	< 1.5.12	1.5.12

Affected products

Jenkins Project/GitLab Pluginllm-fuzzy
Range: <=1.5.11
ghsa-coords
pkg:maven/org.jenkins-ci.plugins/gitlab-plugin
Range: < 1.5.12
Jenkins Project/Gitlab Hook Plugincpe-rescue
Range: 1.5.11 and earlier

Patches

f028c65539a8

[SECURITY-1357]

https://github.com/jenkinsci/gitlab-pluginOwen MeheganApr 17, 2019via ghsa

commit

1 file changed · +6 −0

src/main/java/com/dabsquared/gitlabjenkins/connection/GitLabConnectionConfig.java+6 −0 modified

@@ -22,6 +22,9 @@
 import org.jenkinsci.plugins.plaincredentials.StringCredentials;
 import org.kohsuke.stapler.QueryParameter;
 import org.kohsuke.stapler.StaplerRequest;
+import org.kohsuke.stapler.interceptor.RequirePOST;
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.DoNotUse;
 
 import javax.ws.rs.ProcessingException;
 import javax.ws.rs.WebApplicationException;
@@ -131,12 +134,15 @@ public FormValidation doCheckReadTimeout(@QueryParameter Integer value) {
         }
     }
 
+    @RequirePOST
+    @Restricted(DoNotUse.class) // WebOnly
     public FormValidation doTestConnection(@QueryParameter String url,
                                            @QueryParameter String apiTokenId,
                                            @QueryParameter String clientBuilderId,
                                            @QueryParameter boolean ignoreCertificateErrors,
                                            @QueryParameter int connectionTimeout,
                                            @QueryParameter int readTimeout) {
+	Jenkins.getActiveInstance().checkPermission(Jenkins.ADMINISTER);
         try {
             new GitLabConnection("", url, apiTokenId, clientBuilderId, ignoreCertificateErrors, connectionTimeout, readTimeout).getClient().getCurrentUser();
             return FormValidation.ok(Messages.connection_success());

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-923w-9p3x-hmgwghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2019-10301ghsaADVISORY
www.securityfocus.com/bid/108045mitrevdb-entryx_refsource_BID
github.com/jenkinsci/gitlab-plugin/commit/f028c65539a8892f2d1f738cacc1ea5830adf5d3ghsaWEB
jenkins.io/security/advisory/2019-04-17/ghsax_refsource_CONFIRMWEB
web.archive.org/web/20200227075952/http://www.securityfocus.com/bid/108045ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000