logo

Database

Non-encrypted confidential information In org.jenkins-ci.plugins:gitlab-oauth

Description

Client Secret stored in plain text by Jenkins GitLab Authentication Plugin Jenkins GitLab Authentication Plugin 1.13 and earlier stores the GitLab client secret unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

This client secret can be viewed by users with access to the Jenkins controller file system.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2022-272062. NVD-2022-272063. OSV-2022-272064. GCVE-2022-27206

References

1. https://github.com/jenkinsci/gitlab-oauth-plugin/releases/tag/gitlab-oauth-1.142. https://www.jenkins.io/security/advisory/2022-03-15/#SECURITY-18913. http://www.openwall.com/lists/oss-security/2022/03/15/2

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.