Jenkins GitLab Plugin Cross-Site Request Forgery vulnerability

2022-05-2416:43:53

Google

osv.dev

6.2 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

54.5%

JSON

Jenkins GitLab Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method did not require POST requests, resulting in a cross-site request forgery vulnerability.

This form validation method now requires POST requests and Overall/Administer permissions.

CPENameOperatorVersion
org.jenkins-ci.plugins:gitlab-plugineq1.5.4
org.jenkins-ci.plugins:gitlab-plugineq1.4.6
org.jenkins-ci.plugins:gitlab-plugineq1.5.2
org.jenkins-ci.plugins:gitlab-plugineq1.1.16
org.jenkins-ci.plugins:gitlab-plugineq1.5.10
org.jenkins-ci.plugins:gitlab-plugineq1.1.14
org.jenkins-ci.plugins:gitlab-plugineq1.1.21
org.jenkins-ci.plugins:gitlab-plugineq1.1.20
org.jenkins-ci.plugins:gitlab-plugineq1.2.2
org.jenkins-ci.plugins:gitlab-plugineq1.0.10

Name	Operator	Version
org.jenkins-ci.plugins:gitlab-plugin	eq	1.5.4
org.jenkins-ci.plugins:gitlab-plugin	eq	1.4.6
org.jenkins-ci.plugins:gitlab-plugin	eq	1.5.2
org.jenkins-ci.plugins:gitlab-plugin	eq	1.1.16
org.jenkins-ci.plugins:gitlab-plugin	eq	1.5.10
org.jenkins-ci.plugins:gitlab-plugin	eq	1.1.14
org.jenkins-ci.plugins:gitlab-plugin	eq	1.1.21
org.jenkins-ci.plugins:gitlab-plugin	eq	1.1.20
org.jenkins-ci.plugins:gitlab-plugin	eq	1.2.2
org.jenkins-ci.plugins:gitlab-plugin	eq	1.0.10