6 matches found
CVE-2022-34777
Summary of CVE-2022-34777: The Jenkins GitLab Plugin (versions 1.5.34 and earlier) does not escape multiple fields in the description of webhook-triggered builds, causing a stored cross-site scripting (XSS) vulnerability. Exploitation requires Item/Configure permission. The issue is documented in...
CVE-2022-30955
CVE-2022-30955 affects Jenkins GitLab Plugin (≤ 1.5.31). The issue is a missing permission check on an HTTP endpoint that allows users with Overall/Read to enumerate credentials IDs stored in Jenkins, exposing credential identifiers. The primary sources (NVD entry and related advisories) describe...
CVE-2025-24397
CVE-2025-24397 concerns Jenkins GitLab Plugin (versions 1.9.6 and earlier) where an incorrect permission check in an HTTP endpoint allows attackers with global Item/Configure permission (but not per-job Item/Configure) to enumerate credential IDs of GitLab API tokens and Secret text credentials s...
CVE-2022-43411
CVE-2022-43411 affects Jenkins GitLab Plugin (versions ≤ 1.5.35). The webhook token check uses a non-constant-time comparison, enabling potential timing-based…statistical attacks to deduce a valid token. The issue is fixed in GitLab Plugin 1.5.36, which adopts a constant-time comparison. Other co...
CVE-2019-10300
The CVE-2019-10300 issue affects the Jenkins GitLab Plugin (v1.5.11 and earlier) in the GitLabConnectionConfig.doTestConnection form validation. The root cause is a missing or insufficient permissions check on the testConnection endpoint, enabling an attacker with certain Jenkins privileges (e.g....
CVE-2019-10301
CVE-2019-10301 affects Jenkins GitLab Plugin ≤ 1.5.11. A missing permission check in GitLabConnectionConfig#doTestConnection form validation allowed users with Overall/Read to connect to an attacker-specified URL using attacker-specified credentials IDs, enabling access to credentials stored in J...