Jenkins Gitlab Hook Plugin stores and displays GitLab API token in plain text
Moderate severity
GitHub Reviewed
Published
May 14, 2022
to the GitHub Advisory Database
•
Updated Jan 30, 2024
Package
Affected versions
<= 1.4.2
Patched versions
None
Description
Published by the National Vulnerability Database
Jun 5, 2018
Published to the GitHub Advisory Database
May 14, 2022
Reviewed
Jan 30, 2024
Last updated
Jan 30, 2024
A exposure of sensitive information vulnerability exists in Jenkins Gitlab Hook Plugin 1.4.2 and older in gitlab_notifier.rb, views/gitlab_notifier/global.erb that allows attackers with local Jenkins master file system access or control of a Jenkins administrator's web browser (e.g. malicious extension) to retrieve the configured Gitlab token.
References