GHSA-qq38-mxpq-rrpj

Source

https://github.com/advisories/GHSA-qq38-mxpq-rrpj

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-qq38-mxpq-rrpj/GHSA-qq38-mxpq-rrpj.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-qq38-mxpq-rrpj

Aliases

CVE-2020-2228

Published

2022-05-24T17:23:39Z

Modified

2023-11-08T04:02:58.434078Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Improper authorization of users and groups with the same base name in Jenkins GitLab Authentication Plugin

Details

GitLab Authentication Plugin 1.5 and earlier does not differentiate between user names and hierarchical group names when performing authorization. This allows an attacker with permissions to create groups in GitLab to gain the privileges granted to another user or group.

GitLab Authentication Plugin 1.6 performs user name and group name authorization checks using the appropriate GitLab APIs.

Database specific

{
    "nvd_published_at": "2020-07-15T18:15:00Z",
    "github_reviewed_at": "2022-12-28T23:44:46Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-863"
    ]
}

References

Affected packages

Maven / org.jenkins-ci.plugins:gitlab-oauth

Package

Name: org.jenkins-ci.plugins:gitlab-oauth; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins/gitlab-oauth

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.6

Affected versions

1.*

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.0.8

1.0.9

1.1

1.2

1.3

1.4

1.5

Database specific

{
    "last_known_affected_version_range": "<= 1.5"
}