Jenkins Gitlab vulnerabilities

CVE-2025-24397 [MEDIUM] CWE-863 CVE-2025-24397: An incorrect permission check in Jenkins GitLab Plugin 1.9.6 and earlier allows attackers with globa An incorrect permission check in Jenkins GitLab Plugin 1.9.6 and earlier allows attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate credential IDs of GitLab API token and Secret text credentials stored in Jenkins.

CVE-2022-43411 [MEDIUM] CWE-203 CVE-2022-43411: Jenkins GitLab Plugin 1.5.35 and earlier uses a non-constant time comparison function when checking Jenkins GitLab Plugin 1.5.35 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token.

CVE-2022-34777 [MEDIUM] CWE-79 CVE-2022-34777: Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the descripti Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-30955 [MEDIUM] CWE-862 CVE-2022-30955: Jenkins GitLab Plugin 1.5.31 and earlier does not perform a permission check in an HTTP endpoint, al Jenkins GitLab Plugin 1.5.31 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2019-10300 [HIGH] CWE-352 CVE-2019-10300: A cross-site request forgery vulnerability in Jenkins GitLab Plugin 1.5.11 and earlier in the GitLab A cross-site request forgery vulnerability in Jenkins GitLab Plugin 1.5.11 and earlier in the GitLabConnectionConfig#doTestConnection form validation method allowed attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CVE-2019-10301 [HIGH] CWE-862 CVE-2019-10301: A missing permission check in Jenkins GitLab Plugin 1.5.11 and earlier in the GitLabConnectionConfig A missing permission check in Jenkins GitLab Plugin 1.5.11 and earlier in the GitLabConnectionConfig#doTestConnection form validation method allowed attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.