CyberSec.Space Logo
Back to CVE Browser

CVE-2019-10310

HIGH
8.8
CVSS Severity Score
EPSS Score0.1440%
EPSS Percentile10.27th
PublishedApr 30, 2019
Last ModifiedNov 21, 2024

Vulnerability Description

A cross-site request forgery vulnerability in Jenkins Ansible Tower Plugin 0.9.1 and earlier in the TowerInstallation.TowerInstallationDescriptor#doTestTowerConnection form validation method allowed attackers permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins

Affected Platforms (CPE)

πŸ“¦
Jenkins

Ansible Tower

<= 0.9.1

References & Advisories

πŸ”— http://www.openwall.com/lists/oss-security/2019/04/30/5
πŸ”— http://www.securityfocus.com/bid/108159
πŸ”— https://jenkins.io/security/advisory/2019-04-30/#SECURITY-1355
πŸ”— https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0786
πŸ”— http://www.openwall.com/lists/oss-security/2019/04/30/5
πŸ”— http://www.securityfocus.com/bid/108159
πŸ”— https://jenkins.io/security/advisory/2019-04-30/#SECURITY-1355
πŸ”— https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0786

Related Vulnerabilities

CVE-2018-168799.8

Ansible Tower before version 3.3.3 does not set a secure channel as it is using the default insecure configuration channel setting...

CVE-2018-108848.8

Ansible Tower before versions 3.1.8 and 3.2.6 is vulnerable to cross-site request forgery (CSRF) in awx/api/authentication.py. An ...

CVE-2018-11048.8

Ansible Tower through version 3.2.3 has a vulnerability that allows users only with access to define variables for a job template ...

CVE-2019-103118.8

A missing permission check in Jenkins Ansible Tower Plugin 0.9.1 and earlier in the TowerInstallation.TowerInstallationDescriptor#...