VYPR
← All advisories
High severityNVD Advisory· Published May 31, 2019· Updated Aug 4, 2024

CVE-2019-10330

CVE-2019-10330

Description

Jenkins Gitea Plugin 1.1.1 and earlier did not implement trusted revisions, allowing attackers without commit access to the Git repo to change Jenkinsfiles even if Jenkins is configured to consider them to be untrusted.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins Gitea Plugin 1.1.1 and earlier fails to enforce trusted revisions, allowing attackers without commit access to modify Jenkinsfiles in pull requests.

The Jenkins Gitea Plugin prior to version 1.1.2 did not implement the getTrustedRevision method, which is part of Jenkins' mechanism for distinguishing trusted from untrusted SCM revisions. This omission meant that the plugin never checked whether a pull request's source branch should be considered trusted, even when Jenkins was configured to treat contributions from non-committers as untrusted [1][2]. As a result, any user who could create a pull request against a repository using the plugin could have their proposed Jenkinsfile changes accepted without the usual trust verification.

To exploit this vulnerability, an attacker only needs the ability to open a pull request on a Gitea repository that is configured with the affected plugin. No commit access to the repository is required. The plugin would process the Jenkinsfile from the pull request's head branch as if it were from a trusted source, bypassing the intended security boundary [2][3]. The root cause is further illustrated in the fix commit, which adds a proper getTrustedRevision implementation and also corrects a null-safety issue in the checkTrusted method [4].

An attacker who successfully modifies a Jenkinsfile can inject arbitrary pipeline steps. Since Jenkins pipelines execute with the permissions of the Jenkins controller, this can lead to remote code execution, credential exfiltration, or other severe impacts depending on the environment [1][2]. The vulnerability is classified as high severity because it allows an unauthenticated or low-privileged attacker to compromise the build system.

The issue is resolved in Gitea Plugin version 1.1.2, released on May 31, 2019 [3]. Users should upgrade immediately. No workarounds are available; the only mitigation is to update the plugin. The fix ensures that the plugin correctly consults the list of repository collaborators and only treats pull requests from those users as trusted [4].

References
  1. NVD - CVE-2019-10330
  2. Jenkins Security Advisory 2019-05-31
  3. security - Multiple vulnerabilities in Jenkins plugins
  4. [SECURITY-1046] · jenkinsci/gitea-plugin@7555cb7

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.jenkins-ci.plugins:giteaMaven
< 1.1.21.1.2

Affected products

3

Patches

1
7555cb7c168c

[SECURITY-1046]

https://github.com/jenkinsci/gitea-pluginStephen ConnollyMay 27, 2019via ghsa
commit
2 files changed · +31 1
  • src/main/java/org/jenkinsci/plugin/gitea/ForkPullRequestDiscoveryTrait.java+2 1 modified
    @@ -25,6 +25,7 @@
 
 import edu.umd.cs.findbugs.annotations.NonNull;
 import hudson.Extension;
+import hudson.Util;
 import hudson.util.ListBoxModel;
 import java.util.EnumSet;
 import java.util.List;
@@ -286,7 +287,7 @@ public TrustContributors() {
         @Override
         protected boolean checkTrusted(@NonNull GiteaSCMSourceRequest request, @NonNull PullRequestSCMHead head) {
             return !head.getOrigin().equals(SCMHeadOrigin.DEFAULT)
-                    && request.getCollaboratorNames().contains(head.getOriginOwner());
+                    && Util.fixNull(request.getCollaboratorNames()).contains(head.getOriginOwner());
         }
 
         /**
  • src/main/java/org/jenkinsci/plugin/gitea/GiteaSCMSource.java+29 0 modified
    @@ -462,6 +462,35 @@ protected List<Action> retrieveActions(@NonNull SCMHead head, SCMHeadEvent event
         return result;
     }
 
+    @NonNull
+    @Override
+    public SCMRevision getTrustedRevision(@NonNull SCMRevision revision, @NonNull TaskListener listener)
+            throws IOException, InterruptedException {
+        if (revision instanceof PullRequestSCMRevision) {
+            PullRequestSCMHead head = (PullRequestSCMHead) revision.getHead();
+            try (GiteaConnection c = gitea().open()) {
+                try (GiteaSCMSourceRequest request = new GiteaSCMSourceContext(null, SCMHeadObserver.none())
+                        .withTraits(getTraits())
+                        .newRequest(this, listener)) {
+                    request.setConnection(c);
+                    Set<String> names = new HashSet<>();
+                    for (GiteaUser u: c.fetchCollaborators(giteaRepository)) {
+                        names.add(u.getUsername());
+                    }
+                    request.setCollaboratorNames(names);
+                    if (request.isTrusted(head)) {
+                        return revision;
+                    }
+                }
+                PullRequestSCMRevision rev = (PullRequestSCMRevision) revision;
+                listener.getLogger().format("Loading trusted files from base branch %s at %s rather than %s%n",
+                        head.getTarget().getName(), ((SCMRevisionImpl)rev.getTarget()).getHash(), rev.getOrigin().getHash());
+                return rev.getTarget();
+            }
+        }
+        return revision;
+    }
+
     @NonNull
     @Override
     public SCM build(@NonNull SCMHead head, SCMRevision revision) {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.