cbcvebase.
CVE-2022-30955
published 2022-05-17

CVE-2022-30955: Jenkins GitLab Plugin 1.5.31 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate…

PriorityP434medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.80%
52.0th percentile
Jenkins GitLab Plugin 1.5.31 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

Affected

23 ranges
VendorProductVersion rangeFixed in
gitlabgitlab
jenkinsapplication_detector_plugin
jenkinsautocomplete_parameter_plugin
jenkinsblue_ocean_plugin
jenkinsgit_plugin
jenkinsgitlab<= 1.5.31
jenkinsgitlab_plugin
jenkinsglobal_variable_string_parameter_plugin
jenkinsgroovy_plugin
jenkinshttp_requests_in_script_security_plugin
jenkinsjdk_parameter_plugin
jenkinsjenkins_core
jenkinsmercurial_plugin
jenkinsmultiselect_parameter_plugin
jenkinsrandom_string_parameter_plugin
jenkinsrepo_plugin
jenkinsrundeck_plugin
jenkinsscript_security_plugin
jenkinsselection_tasks_plugin
jenkinsssh_plugin
jenkinsstorable_configs_plugin
jenkinswhile_credentials_plugin
jenkins_projectjenkins_gitlab_pluginunspecified – 1.5.31

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.