GHSA-qq38-mxpq-rrpj

Suggest an improvement
Source
https://github.com/advisories/GHSA-qq38-mxpq-rrpj
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-qq38-mxpq-rrpj/GHSA-qq38-mxpq-rrpj.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-qq38-mxpq-rrpj
Aliases
Published
2022-05-24T17:23:39Z
Modified
2023-11-08T04:02:58.434078Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Improper authorization of users and groups with the same base name in Jenkins GitLab Authentication Plugin
Details

GitLab Authentication Plugin 1.5 and earlier does not differentiate between user names and hierarchical group names when performing authorization. This allows an attacker with permissions to create groups in GitLab to gain the privileges granted to another user or group.

GitLab Authentication Plugin 1.6 performs user name and group name authorization checks using the appropriate GitLab APIs.

References

Affected packages

Maven / org.jenkins-ci.plugins:gitlab-oauth

Package

Name
org.jenkins-ci.plugins:gitlab-oauth
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.plugins/gitlab-oauth

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.6

Affected versions

1.*

1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.0.9
1.1
1.2
1.3
1.4
1.5

Database specific

{
    "last_known_affected_version_range": "<= 1.5"
}