CVE-2022-30955
published 2022-05-17CVE-2022-30955: Jenkins GitLab Plugin 1.5.31 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate…
PriorityP434medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.80%
52.0th percentile
Jenkins GitLab Plugin 1.5.31 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
Affected
23 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gitlab | gitlab | — | — |
| jenkins | application_detector_plugin | — | — |
| jenkins | autocomplete_parameter_plugin | — | — |
| jenkins | blue_ocean_plugin | — | — |
| jenkins | git_plugin | — | — |
| jenkins | gitlab | <= 1.5.31 | — |
| jenkins | gitlab_plugin | — | — |
| jenkins | global_variable_string_parameter_plugin | — | — |
| jenkins | groovy_plugin | — | — |
| jenkins | http_requests_in_script_security_plugin | — | — |
| jenkins | jdk_parameter_plugin | — | — |
| jenkins | jenkins_core | — | — |
| jenkins | mercurial_plugin | — | — |
| jenkins | multiselect_parameter_plugin | — | — |
| jenkins | random_string_parameter_plugin | — | — |
| jenkins | repo_plugin | — | — |
| jenkins | rundeck_plugin | — | — |
| jenkins | script_security_plugin | — | — |
| jenkins | selection_tasks_plugin | — | — |
| jenkins | ssh_plugin | — | — |
| jenkins | storable_configs_plugin | — | — |
| jenkins | while_credentials_plugin | — | — |
| jenkins_project | jenkins_gitlab_plugin | unspecified – 1.5.31 | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Jenkins
Jenkins Security Advisory 2022-05-17
vendor_jenkins·2022-05-17·CVSS 8.5
CVE-2017-2601 [HIGH] Jenkins Security Advisory 2022-05-17
Title: Jenkins Security Advisory 2022-05-17
Jenkins Security Advisory 2022-05-17
Jenkins Security Home
For Administrators
Overview
Terminology
Vulnerabilities and Scoring
Security Advisories
Security Issues
Advisory Schedule
Vulnerabilities in Plugins
How We Fix Security Issues
For Reporters
Reporting Vulnerabilities
Jenkins CNA
For Maintainers
Overview
Vulnerabilities in Plugins
Jenkins Security Team
About
Contributions
This advisory announces vulnerabilities in the following Jenkins deliverables:
Application Detector
Plugin
Autocomplete Parameter
Plugin
Blue Ocean
Plugin
Git
Plugin
GitLab
Plugin
Global Variable String Parameter
Plugin
JDK Parameter
Plugin
GitLab
CVE-2022-30955: Jenkins GitLab Plugin 1.5.31 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to e
vendor_gitlab·2022-05-17·CVSS 6.5
CVE-2022-30955 [MEDIUM] CWE-862 CVE-2022-30955: Jenkins GitLab Plugin 1.5.31 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to e
CVE-2022-30955: Jenkins GitLab Plugin 1.5.31 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
OSV
Missing permission check in Jenkins GitLab Plugin
osv·2022-05-18
CVE-2022-30955 [MEDIUM] Missing permission check in Jenkins GitLab Plugin
Missing permission check in Jenkins GitLab Plugin
Jenkins GitLab Plugin 1.5.31 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. An enumeration of credentials IDs in GitLab Plugin 1.5.32 requires the appropriate permissions.
GHSA
Missing permission check in Jenkins GitLab Plugin
ghsa·2022-05-18
CVE-2022-30955 [MEDIUM] CWE-862 Missing permission check in Jenkins GitLab Plugin
Missing permission check in Jenkins GitLab Plugin
Jenkins GitLab Plugin 1.5.31 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. An enumeration of credentials IDs in GitLab Plugin 1.5.32 requires the appropriate permissions.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-05-17
Published