cbcvebase.
CVE-2025-24397
published 2025-01-22

CVE-2025-24397: An incorrect permission check in Jenkins GitLab Plugin 1.9.6 and earlier allows attackers with global Item/Configure permission (while lacking Item/Configure…

PriorityP421medium4.3CVSS 3.1
AVNACLPRLUINSUCLINAN
EPSS
0.29%
20.5th percentile
An incorrect permission check in Jenkins GitLab Plugin 1.9.6 and earlier allows attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate credential IDs of GitLab API token and Secret text credentials stored in Jenkins.

Affected

12 ranges
VendorProductVersion rangeFixed in
gitlabgitlab
jenkinsazure_service_fabric_plugin
jenkinsbitbucket_server_integration_plugin
jenkinscache_confusion_in_eiffel_broadcaster_plugin
jenkinseiffel_broadcaster_plugin
jenkinsfolder-based_authorization_strategy_plugin
jenkinsgitlab<= 1.9.6
jenkinsgitlab_plugin
jenkinsopenid_connect_authentication_plugin
jenkinstokens_displayed_without_masking_by_zoom_plugin
jenkinszoom_plugin
jenkins_projectjenkins_gitlab_plugin<= 1.9.6
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.