Vulnerability Details : CVE-2019-10330
Jenkins Gitea Plugin 1.1.1 and earlier did not implement trusted revisions, allowing attackers without commit access to the Git repo to change Jenkinsfiles even if Jenkins is configured to consider them to be untrusted.
Products affected by CVE-2019-10330
- cpe:2.3:a:gitea:gitea:*:*:*:*:*:jenkins:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-10330
0.50%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 76 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-10330
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2019-10330
-
The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.Assigned by: jenkinsci-cert@googlegroups.com (Secondary)
-
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-10330
-
http://www.openwall.com/lists/oss-security/2019/05/31/2
oss-security - Multiple vulnerabilities in Jenkins pluginsMailing List;Third Party Advisory
-
https://jenkins.io/security/advisory/2019-05-31/#SECURITY-1046
Jenkins Security Advisory 2019-05-31Vendor Advisory
-
http://www.securityfocus.com/bid/108540
Jenkins Plugins Multiple Security VulnerabilitiesThird Party Advisory;VDB Entry
Jump to