Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-cg6r-gqvc-r396: CSRF vulnerability in GitLab Authentication Plugin

GitLab Authentication Plugin 1.17.1 and earlier does not implement a state parameter in its OAuth flow, a unique and non-guessable value associated with each authentication request.

This vulnerability allows attackers to trick users into logging in to the attacker’s account.

GitLab Authentication Plugin 1.18 implements a state parameter in its OAuth flow.

ghsa
#csrf#vulnerability#git#oauth#auth

CSRF vulnerability in GitLab Authentication Plugin

Moderate severity GitHub Reviewed Published Jul 26, 2023 to the GitHub Advisory Database • Updated Jul 26, 2023

Related news

CVE-2023-39156: Jenkins Security Advisory 2023-07-26

A cross-site request forgery (CSRF) vulnerability in Jenkins Bazaar Plugin 1.22 and earlier allows attackers to delete previously created Bazaar SCM tags.

CVE-2023-39153: Jenkins Security Advisory 2023-07-26

A cross-site request forgery (CSRF) vulnerability in Jenkins GitLab Authentication Plugin 1.17.1 and earlier allows attackers to trick users into logging in to the attacker's account.

CVE-2023-39151: Jenkins Security Advisory 2023-07-26

Jenkins 2.415 and earlier, LTS 2.401.2 and earlier does not sanitize or properly encode URLs in build logs when transforming them into hyperlinks, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control build log contents.

CVE-2023-39155: Jenkins Security Advisory 2023-07-26

Jenkins Chef Identity Plugin 2.0.3 and earlier does not mask the user.pem key form field, increasing the potential for attackers to observe and capture it.

CVE-2023-39154: Jenkins Security Advisory 2023-07-26

Incorrect permission checks in Jenkins Qualys Web App Scanning Connector Plugin 2.0.10 and earlier allow attackers with global Item/Configure permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CVE-2023-39152: Jenkins Security Advisory 2023-07-26

Always-incorrect control flow implementation in Jenkins Gradle Plugin 2.8 may result in credentials not being masked (i.e., replaced with asterisks) in the build log in some circumstances.