logo

Database

Improper authorization control for web services In org.jenkins-ci.plugins:gitlab-plugin

Description

Missing permission check in Jenkins GitLab Plugin Jenkins GitLab Plugin 1.5.31 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. An enumeration of credentials IDs in GitLab Plugin 1.5.32 requires the appropriate permissions.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2022-309552. NVD-2022-309553. OSV-2022-309554. GCVE-2022-30955

References

1. https://github.com/jenkinsci/gitlab-plugin/commit/37e48ca920a4779109b885f4de62111e0baf846a2. https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2753

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.