First published: Fri May 31 2019(Updated: )
Jenkins Gitea Plugin 1.1.1 and earlier did not implement trusted revisions, allowing attackers without commit access to the Git repo to change Jenkinsfiles even if Jenkins is configured to consider them to be untrusted.
Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
Affected Software | Affected Version | How to fix |
---|---|---|
Gitea Gitea | <=1.1.1 | |
maven/org.jenkins-ci.plugins:gitea | <1.1.2 | 1.1.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2019-10330 is a vulnerability in Jenkins Gitea Plugin 1.1.1 and earlier that allows attackers without commit access to the Git repo to change Jenkinsfiles.
CVE-2019-10330 affects Gitea versions up to and including 1.1.1.
CVE-2019-10330 has a severity rating of 7.5 (high).
An attacker without commit access to the Git repo can exploit CVE-2019-10330 by changing Jenkinsfiles.
Yes, updating Jenkins Gitea Plugin to a version higher than 1.1.1 fixes CVE-2019-10330.