Insecure Storage of Client Secret in Jenkins GitLab Authentication Plugin
CVE-2022-27206

6.5MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Gitlab Authentication Plugin
Vendor: CVE Published:; 15 March 2022

What is CVE-2022-27206?

The Jenkins GitLab Authentication Plugin prior to version 1.14 exposes a significant security risk due to the unencrypted storage of the GitLab client secret in the global config.xml file. This file resides on the Jenkins controller, making it accessible to users with file system access, which can lead to unauthorized access and exploitation of the user's GitLab environment. Proper handling and encryption of sensitive credentials are essential to mitigate these risks.

Affected Version(s)

Jenkins GitLab Authentication Plugin <= 1.13

References

https://www.jenkins.io/security/advisory/2022-03-15/#SECU...

x_refsource_CONFIRM

http://www.openwall.com/lists/oss-security/2022/03/15/2

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 15, 2022
Vulnerability Reserved
Mar 15, 2022