Jenkins GitHub Authentication Plugin did not manage the state parameter of OAuth to prevent CSRF. This allowed an attacker to catch the redirect URL provided during the authentication process using OAuth and send it to the victim. If the victim was already connected to Jenkins, their Jenkins account would be attached to the attacker’s GitHub account.

The state parameter is now correctly managed.

Affected Packages

Maven org.jenkins-ci.plugins:github-oauth

Affected versions: 0 (fixed in 0.32)

Related CVEs

CVE-2019-10315

Key Information

GHSA ID

GHSA-phwv-crgp-9r69

Published

May 24, 2022 4:44 PM

Last Modified

October 26, 2023 9:51 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

org.jenkins-ci.plugins:github-oauth

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 25, 2025 6:33 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.