logo

Database

Authentication mechanism absence or evasion In org.jenkins-ci.plugins:gitlab-oauth

Description

Improper authorization of users and groups with the same base name in Jenkins GitLab Authentication Plugin GitLab Authentication Plugin 1.5 and earlier does not differentiate between user names and hierarchical group names when performing authorization. This allows an attacker with permissions to create groups in GitLab to gain the privileges granted to another user or group.

GitLab Authentication Plugin 1.6 performs user name and group name authorization checks using the appropriate GitLab APIs.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2020-22282. NVD-2020-22283. OSV-2020-22284. GCVE-2020-2228

References

1. https://jenkins.io/security/advisory/2020-07-15/#SECURITY-17922. http://www.openwall.com/lists/oss-security/2020/07/15/5

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.