Primary

Context

Jenkins GitLab Plugin Incorrect Permission Check Vulnerability Allowing Credential ID Enumeration

Vulnerability

Patched

A vulnerability exists in Jenkins GitLab Plugin versions through 1.9.6, where an incorrect permission check allows attackers with global Item/Configure permission to enumerate credential IDs of GitLab API token and Secret text credentials stored in Jenkins. This issue arises because the plugin fails to properly validate permissions in an HTTP endpoint, enabling the enumeration of credential IDs that could be exploited to capture the credentials using another vulnerability.

Impact

Exploitation of this vulnerability allows for the enumeration of credential IDs, which could be used to capture sensitive credentials through other vulnerabilities.

Remediation

Users of Jenkins GitLab Plugin should update to version 1.9.7, which addresses this vulnerability.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

2.5

exploitability

4.9

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

2.5

exploitability

4.9

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Jenkins GitLab Plugin Incorrect Permission Check Vulnerability Allowing Credential ID Enumeration

Vulnerability

Impact

Remediation

Affected Products

Jenkins GitLab Plugin

Jenkins Bitbucket Server Integration Plugin

Jenkins Folder-based Authorization Strategy Plugin

Jenkins OpenId Connect Authentication Plugin

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating