Unconditional Project Discovery and Crafted Pipeline Execution in Jenkins GitLab Branch Source Plugin

Unconditional Project Discovery and Crafted Pipeline Execution in Jenkins GitLab Branch Source Plugin

CVE-2024-23901 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Jenkins GitLab Branch Source Plugin 684.vea_fa_7c1e2fe3 and earlier unconditionally discovers projects that are shared with the configured owner group, allowing attackers to configure and share a project, resulting in a crafted Pipeline being built by Jenkins during the next scan of the group.

Learn more about our Web Application Penetration Testing UK.