CVE-2018-1000196

Name of the Vulnerable Software and Affected Versions Jenkins Gitlab Hook Plugin versions 1.4.2 and older

Description A sensitive information exposure issue exists, allowing attackers with local Jenkins master file system access or control of a Jenkins administrator's web browser to retrieve the configured Gitlab token. This is due to a vulnerability in the gitlab notifier.rb and views/gitlab notifier/global.erb files.

Recommendations For Jenkins Gitlab Hook Plugin versions 1.4.2 and older, consider restricting access to the gitlab notifier.rb and views/gitlab notifier/global.erb files until a patch is available. As a temporary workaround, restrict the use of the Gitlab token in the Jenkins configuration to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.