GHSA-fw9h-cxx9-gfq3

Suggest an improvement
Source
https://github.com/advisories/GHSA-fw9h-cxx9-gfq3
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-fw9h-cxx9-gfq3/GHSA-fw9h-cxx9-gfq3.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-fw9h-cxx9-gfq3
Aliases
  • CVE-2024-23901
Published
2024-01-24T18:31:02Z
Modified
2024-01-31T20:31:40.928389Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVSS Calculator
Summary
Shared projects are unconditionally discovered by Jenkins GitLab Branch Source Plugin
Details

GitLab allows sharing a project with another group.

Jenkins GitLab Branch Source Plugin 684.veafa7c1e2fe3 and earlier unconditionally discovers projects that are shared with the configured owner group.

This allows attackers to configure and share a project, resulting in a crafted Pipeline being built by Jenkins after the next scan of the group’s projects.

In GitLab Branch Source Plugin 688.v5fa_356ee8520, the default strategy for discovering projects does not discover projects shared with the configured owner group. To discover projects shared with the configured owner group, use the new trait "Discover shared projects".

Database specific
{
    "nvd_published_at": "2024-01-24T18:15:09Z",
    "cwe_ids": [
        "CWE-200"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-24T21:49:51Z"
}
References

Affected packages

Maven / io.jenkins.plugins:gitlab-branch-source

Package

Name
io.jenkins.plugins:gitlab-branch-source
View open source insights on deps.dev
Purl
pkg:maven/io.jenkins.plugins/gitlab-branch-source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
688.v5fa

Affected versions

0.*

0.0.5-alpha-2
0.0.7-beta
0.0.8-beta

1.*

1.0.0
1.1.0
1.1.1-alpha
1.1.2-alpha
1.2.0
1.2.1
1.2.2
1.3.0
1.4.0
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5
1.4.6
1.5.0
1.5.1
1.5.2
1.5.3
1.5.4
1.5.5
1.5.6
1.5.7
1.5.8
1.5.9

621.*

621.vd49608f876da_

623.*

623.vcc98dc4b_0ce4

625.*

625.v85cf3a_400cfe

628.*

628.ve99e3d4df4b_8

629.*

629.vb_cc76608e806

630.*

630.v04ca_c57fa_880

633.*

633.ved9984f943da_

636.*

636.v55fd8144d335

640.*

640.v7101b_1c0def9

642.*

642.v9ed86b_b_54384

643.*

643.vdc12a_4a_06434

644.*

644.va_a_66886e07b_5

645.*

645.v62a_b_6fce8659

646.*

646.vb_9560d64b_69f

647.*

647.vdee7766b_cfa_e

649.*

649.v0dda_db_88b_5ee

650.*

650.va_d1ce6d01959

659.*

659.va_685a_51fda_db_

660.*

660.vd45c0f4c0042

663.*

663.v2602c3e6376d

664.*

664.v877fdc293c89

670.*

670.vf7df45517001

671.*

671.v67b_7169092ca_

672.*

672.vd8b_0b_b_a_db_1b_3

677.*

677.v0b_63b_038322b_

679.*

679.v1dfd3604d46e

680.*

680.vc179a_1a_37915

684.*

684.vea_fa_7c1e2fe3