CVE-2025-24397

Name of the Vulnerable Software and Affected Versions Jenkins GitLab Plugin versions 1.9.6 and earlier

Description The issue is related to an incorrect permission check in the Jenkins GitLab Plugin. This allows attackers with global Item/Configure permission, but lacking Item/Configure permission on any particular job, to enumerate credential IDs of GitLab API token and Secret text credentials stored in Jenkins. These credential IDs can be used as part of an attack to capture the credentials using another vulnerability.

Recommendations For Jenkins GitLab Plugin versions 1.9.6 and earlier, upgrade to version 1.9.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the global Item/Configure permission to minimize the risk of exploitation. Additionally, restrict access to the HTTP endpoint related to the GitLab Plugin to prevent enumeration of credential IDs.