CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24397
https://notcve.org/view.php?id=CVE-2025-24397
22 Jan 2025 — An incorrect permission check in Jenkins GitLab Plugin 1.9.6 and earlier allows attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate credential IDs of GitLab API token and Secret text credentials stored in Jenkins. • https://www.jenkins.io/security/advisory/2025-01-22/#SECURITY-3260 • CWE-863: Incorrect Authorization •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-39153
https://notcve.org/view.php?id=CVE-2023-39153
26 Jul 2023 — A cross-site request forgery (CSRF) vulnerability in Jenkins GitLab Authentication Plugin 1.17.1 and earlier allows attackers to trick users into logging in to the attacker's account. • http://www.openwall.com/lists/oss-security/2023/07/26/2 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-43411
https://notcve.org/view.php?id=CVE-2022-43411
19 Oct 2022 — Jenkins GitLab Plugin 1.5.35 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token. Jenkins GitLab Plugin versiones 1.5.35 y anteriores, usa una función de comparación de tiempo no constante cuando comprueba si el token de webhook proporcionado y el esperado son iguales, permitiendo potencialmente a atacantes usar métodos estadísticos para obte... • http://www.openwall.com/lists/oss-security/2022/10/19/3 • CWE-203: Observable Discrepancy •
CVSS: 5.4EPSS: 47%CPEs: 1EXPL: 0CVE-2022-34777
https://notcve.org/view.php?id=CVE-2022-34777
30 Jun 2022 — Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. Jenkins GitLab Plugin versiones 1.5.34 y anteriores, no escapa a los múltiples campos insertados en la descripción de las construcciones activadas por el webhook, resultando en una vulnerabilidad de tipo cross-site scripting (XSS) almacenada explotable por ata... • https://www.jenkins.io/security/advisory/2022-06-30/#SECURITY-2316 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-30955
https://notcve.org/view.php?id=CVE-2022-30955
17 May 2022 — Jenkins GitLab Plugin 1.5.31 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Jenkins GitLab Plugin versiones 1.5.31 y anteriores, no llevan a cabo una comprobación de permisos en un endpoint HTTP, lo que permite a atacantes con permiso Overall/Read enumerar los ID de las credenciales almacenadas en Jenkins • https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2753 • CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-27206
https://notcve.org/view.php?id=CVE-2022-27206
15 Mar 2022 — Jenkins GitLab Authentication Plugin 1.13 and earlier stores the GitLab client secret unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. El Plugin GitLab Authentication de Jenkins versiones 1.13 y anteriores, almacena el secreto del cliente de GitLab sin cifrar en el archivo global config.xml del controlador de Jenkins, donde puede ser visualizado por usuarios con acceso al sistema de archivos del controlador... • http://www.openwall.com/lists/oss-security/2022/03/15/2 • CWE-522: Insufficiently Protected Credentials •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-25196
https://notcve.org/view.php?id=CVE-2022-25196
15 Feb 2022 — Jenkins GitLab Authentication Plugin 1.13 and earlier records the HTTP Referer header as part of the URL query parameters when the authentication process starts, allowing attackers with access to Jenkins to craft a URL that will redirect users to an attacker-specified URL after logging in. Jenkins GitLab Authentication Plugin versiones 1.13 y anteriores, registra el encabezado HTTP Referer como parte de los parámetros de consulta de la URL cuando es iniciado el proceso de autenticación, lo que permite a ata... • http://www.openwall.com/lists/oss-security/2022/02/15/2 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-2228
https://notcve.org/view.php?id=CVE-2020-2228
15 Jul 2020 — Jenkins Gitlab Authentication Plugin 1.5 and earlier does not perform group authorization checks properly, resulting in a privilege escalation vulnerability. Jenkins Gitlab Authentication Plugin versiones 1.5 y anteriores, no llevan a cabo comprobaciones de la autorización de grupo apropiadamente, resultando en una vulnerabilidad de escalada de privilegios • http://www.openwall.com/lists/oss-security/2020/07/15/5 • CWE-863: Incorrect Authorization •
CVSS: 6.1EPSS: 93%CPEs: 1EXPL: 3CVE-2020-2096 – Jenkins Gitlab Hook Plugin 1.4.2 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2020-2096
15 Jan 2020 — Jenkins Gitlab Hook Plugin 1.4.2 and earlier does not escape project names in the build_now endpoint, resulting in a reflected XSS vulnerability. Jenkins Gitlab Hook Plugin versión 1.4.2 y versiones anteriores, no escapa nombres de proyecto en el endpoint build_now, lo que resulta en una vulnerabilidad de tipo XSS reflejada. Jenkins Gitlab Hook plugin version 1.4.2 suffers from a cross site scripting vulnerability. • https://packetstorm.news/files/id/155967 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-10429
https://notcve.org/view.php?id=CVE-2019-10429
25 Sep 2019 — Jenkins GitLab Logo Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. Jenkins GitLab Logo Plugin almacena las credenciales sin cifrar en su archivo de configuración global en el maestro de Jenkins, donde pueden ser visualizados por los usuarios con acceso al sistema de archivos maestro. • http://www.openwall.com/lists/oss-security/2019/09/25/3 • CWE-522: Insufficiently Protected Credentials •