4 matches found
CVE-2023-39153
CVE-2023-39153 is a CSRF vulnerability in Jenkins GitLab Authentication Plugin versions ≤ 1.17.1. The flaw allows an attacker to lure a logged-in user into authenticating to the attacker’s account, via a crafted request, effectively abusing the OAuth flow. The root cause is the plugin’s lack of a...
CVE-2022-25196
CVE-2022-25196 affects the Jenkins GitLab Authentication Plugin (1.13 and earlier). The vulnerability arises because the plugin records the HTTP Referer header as part of the URL query parameters at the start of authentication, enabling an attacker with Jenkins access to craft a login URL that re...
CVE-2022-27206
CVE-2022-27206 affects Jenkins GitLab Authentication Plugin 1.13 and earlier. It stores the GitLab client secret unencrypted in the global config.xml on the Jenkins controller, enabling access to the secret by users with filesystem access. The provided connected documents do not specify an availa...
CVE-2020-2228
The CVE-2020-2228 issue affects Jenkins Gitlab Authentication Plugin; versions 1.5 and earlier fail to differentiate between user names and hierarchical group names during authorization, enabling privilege escalation. The root cause is improper authorization checks when the same base name is used...