CVE-2022-27206 – org.jenkins-ci.plugins:gitlab-oauth

Package

Manager: maven
Name: org.jenkins-ci.plugins:gitlab-oauth
Vulnerable Version: >=0 <1.14

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.0056 pctl0.67289

Details

Client Secret stored in plain text by Jenkins GitLab Authentication Plugin Jenkins GitLab Authentication Plugin 1.13 and earlier stores the GitLab client secret unencrypted in the global `config.xml` file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. This client secret can be viewed by users with access to the Jenkins controller file system.

Metadata

Created: 2022-03-16T00:00:43Z
Modified: 2022-11-30T20:15:12Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-hx3r-qwxv-5jw9/GHSA-hx3r-qwxv-5jw9.json
CWE IDs: ["CWE-311", "CWE-522"]
Alternative ID: GHSA-hx3r-qwxv-5jw9
Finding: F020
Auto approve: 1