Permission Check Flaw in Jenkins GitLab Plugin Allows Credential Enumeration
CVE-2025-24397

4.3MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Gitlab Plugin
Vendor: CVE Published:; 22 January 2025

Summary

A security vulnerability exists in the Jenkins GitLab Plugin, specifically in versions up to 1.9.6, due to an improper permission check. This flaw enables attackers who possess global Item/Configure permissions, but do not have permissions on specific jobs, to enumerate sensitive credential IDs associated with GitLab API tokens and Secret text credentials stored within Jenkins. This could potentially compromise the confidentiality of sensitive information, allowing unauthorized access and manipulation.

Affected Version(s)

Jenkins GitLab Plugin 0 <= 1.9.6

References

https://www.jenkins.io/security/advisory/2025-01-22/#SECU...

vendor-advisory

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 22, 2025
Vulnerability Reserved
Jan 21, 2025