GHSA-fw9h-cxx9-gfq3
Suggest an improvement- Source
- https://github.com/advisories/GHSA-fw9h-cxx9-gfq3
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-fw9h-cxx9-gfq3/GHSA-fw9h-cxx9-gfq3.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-fw9h-cxx9-gfq3
- Aliases
-
- CVE-2024-23901
- Published
- 2024-01-24T18:31:02Z
- Modified
- 2024-02-16T08:22:49.440628Z
- Severity
-
- 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVSS Calculator
- Summary
- Shared projects are unconditionally discovered by Jenkins GitLab Branch Source Plugin
- Details
-
GitLab allows sharing a project with another group.
Jenkins GitLab Branch Source Plugin 684.veafa7c1e2fe3 and earlier unconditionally discovers projects that are shared with the configured owner group.
This allows attackers to configure and share a project, resulting in a crafted Pipeline being built by Jenkins after the next scan of the group’s projects.
In GitLab Branch Source Plugin 688.v5fa_356ee8520, the default strategy for discovering projects does not discover projects shared with the configured owner group. To discover projects shared with the configured owner group, use the new trait "Discover shared projects".
- Database specific
{ "nvd_published_at": "2024-01-24T18:15:09Z", "cwe_ids": [ "CWE-200" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-01-24T21:49:51Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2024-23901
- https://github.com/jenkinsci/gitlab-branch-source-plugin/commit/969ccece8e2185ecdb7c342b27173af1ab17045c
- https://github.com/jenkinsci/gitlab-branch-source-plugin
- https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3040
- http://www.openwall.com/lists/oss-security/2024/01/24/6
Affected packages
Maven / io.jenkins.plugins:gitlab-branch-source
Package
- Name
- io.jenkins.plugins:gitlab-branch-source
- View open source insights on deps.dev
- Purl
- pkg:maven/io.jenkins.plugins/gitlab-branch-source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed688.v5fa
Affected versions
0.*
0.0.5-alpha-2
0.0.7-beta
0.0.8-beta
1.*
1.0.0
1.1.0
1.1.1-alpha
1.1.2-alpha
1.2.0
1.2.1
1.2.2
1.3.0
1.4.0
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5
1.4.6
1.5.0
1.5.1
1.5.2
1.5.3
1.5.4
1.5.5
1.5.6
1.5.7
1.5.8
1.5.9
621.*
621.vd49608f876da_
623.*
623.vcc98dc4b_0ce4
625.*
625.v85cf3a_400cfe
628.*
628.ve99e3d4df4b_8
629.*
629.vb_cc76608e806
630.*
630.v04ca_c57fa_880
633.*
633.ved9984f943da_
636.*
636.v55fd8144d335
640.*
640.v7101b_1c0def9
642.*
642.v9ed86b_b_54384
643.*
643.vdc12a_4a_06434
644.*
644.va_a_66886e07b_5
645.*
645.v62a_b_6fce8659
646.*
646.vb_9560d64b_69f
647.*
647.vdee7766b_cfa_e
649.*
649.v0dda_db_88b_5ee
650.*
650.va_d1ce6d01959
659.*
659.va_685a_51fda_db_
660.*
660.vd45c0f4c0042
663.*
663.v2602c3e6376d
664.*
664.v877fdc293c89
670.*
670.vf7df45517001
671.*
671.v67b_7169092ca_
672.*
672.vd8b_0b_b_a_db_1b_3
677.*
677.v0b_63b_038322b_
679.*
679.v1dfd3604d46e
680.*
680.vc179a_1a_37915
684.*
684.vea_fa_7c1e2fe3