CVE-2024-23901

Name of the Vulnerable Software and Affected Versions Jenkins GitLab Branch Source Plugin versions 684.vea fa 7c1e2fe3 and earlier

Description The issue is related to insufficient access control in the Jenkins GitLab Branch Source Plugin. This allows attackers to configure and share a project, resulting in a crafted Pipeline being built by Jenkins during the next scan of the group. The plugin unconditionally discovers projects that are shared with the configured owner group, enabling remote attackers to exploit this weakness.

Recommendations For Jenkins GitLab Branch Source Plugin versions 684.vea fa 7c1e2fe3 and earlier, consider updating to a version that includes the new trait "Discover shared projects" to mitigate the risk of exploitation, such as GitLab Branch Source Plugin 688.v5fa 356ee8520. As a temporary workaround, restrict the plugin's ability to discover projects shared with the configured owner group until a patch is applied.