PT-2020-15449 · Jenkins · Jenkins Gitlab Authentication Plugin+1
Published
2020-07-15
·
Updated
2023-10-25
·
CVE-2020-2228
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Jenkins Gitlab Authentication Plugin versions 1.5 and earlier
Description
The issue arises from the plugin not performing proper group authorization checks, leading to a privilege escalation. Specifically, it does not differentiate between user names and hierarchical group names when performing authorization. This allows an attacker with permissions to create groups in GitLab to gain the privileges granted to another user or group.
Recommendations
For Jenkins Gitlab Authentication Plugin versions 1.5 and earlier, update to version 1.6 or later, which performs user name and group name authorization checks using the appropriate GitLab APIs.
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Gitlab Authentication Plugin