CVE-2019-10301

Name of the Vulnerable Software and Affected Versions Jenkins GitLab Plugin versions 1.5.11 and earlier

Description A missing permission check in the GitLabConnectionConfig#doTestConnection form validation method allowed attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs, capturing credentials stored in Jenkins. This issue also resulted in a cross-site request forgery vulnerability due to the form validation method not requiring POST requests.

Recommendations For Jenkins GitLab Plugin versions 1.5.11 and earlier, update the plugin to a version that requires POST requests and Overall/Administer permissions for the form validation method. As a temporary workaround, consider restricting access to the GitLabConnectionConfig#doTestConnection method to users with Overall/Administer permissions until a patch is available.