CyberSec.Space Logo
返回 CVE 浏览器

CVE-2019-10310

HIGH
8.8
CVSS Severity Score
EPSS Score0.1440%
EPSS Percentile10.27th
Published2019年4月30日
Last Modified2024年11月21日

Vulnerability Description

A cross-site request forgery vulnerability in Jenkins Ansible Tower Plugin 0.9.1 and earlier in the TowerInstallation.TowerInstallationDescriptor#doTestTowerConnection form validation method allowed attackers permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins

Affected Platforms (CPE)

📦
Jenkins

Ansible Tower

<= 0.9.1

References & Advisories

🔗 http://www.openwall.com/lists/oss-security/2019/04/30/5
🔗 http://www.securityfocus.com/bid/108159
🔗 https://jenkins.io/security/advisory/2019-04-30/#SECURITY-1355
🔗 https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0786
🔗 http://www.openwall.com/lists/oss-security/2019/04/30/5
🔗 http://www.securityfocus.com/bid/108159
🔗 https://jenkins.io/security/advisory/2019-04-30/#SECURITY-1355
🔗 https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0786

相关漏洞威胁

CVE-2018-168799.8

Ansible Tower before version 3.3.3 does not set a secure channel as it is using the default insecure configuration channel setting...

CVE-2018-108848.8

Ansible Tower before versions 3.1.8 and 3.2.6 is vulnerable to cross-site request forgery (CSRF) in awx/api/authentication.py. An ...

CVE-2018-11048.8

Ansible Tower through version 3.2.3 has a vulnerability that allows users only with access to define variables for a job template ...

CVE-2019-103118.8

A missing permission check in Jenkins Ansible Tower Plugin 0.9.1 and earlier in the TowerInstallation.TowerInstallationDescriptor#...