CVE-2024-23901

CWE-200 — Information Exposure6 documents6 sources

Severity

6.5MEDIUM

EPSS

0.1%

top 74.81%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins Gitlab Branch Source Plugin Jenkins Github Branch Source

Timeline

PublishedJan 24

Description

Jenkins GitLab Branch Source Plugin 684.vea_fa_7c1e2fe3 and earlier unconditionally discovers projects that are shared with the configured owner group, allowing attackers to configure and share a project, resulting in a crafted Pipeline being built by Jenkins during the next scan of the group.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.5

Affected Packages3 packages

▶CVEListV5jenkins_project/jenkins_gitlab_branch_source_plugin684.vea_fa_7c1e2fe3

▶Mavenio.jenkins.plugins:gitlab-branch-source< 688.v5fa

▶NVDjenkins/github_branch_source684.vea_fa_7c1e2fe3

🔴Vulnerability Details

OSV

Shared projects are unconditionally discovered by Jenkins GitLab Branch Source Plugin↗2024-01-24

▶

CVEList

CVE-2024-23901: Jenkins GitLab Branch Source Plugin 684↗2024-01-24

▶

GHSA

Shared projects are unconditionally discovered by Jenkins GitLab Branch Source Plugin↗2024-01-24

▶

📋Vendor Advisories

GitLab

CVE-2024-23901: Jenkins GitLab Branch Source Plugin 684.vea_fa_7c1e2fe3 and earlier unconditionally discovers projects that are shared with the configured owner group↗2024-01-24

▶

Jenkins

Jenkins Security Advisory 2024-01-24↗2024-01-24

▶