Описание
Improper authorization of users and groups with the same base name in Jenkins GitLab Authentication Plugin
GitLab Authentication Plugin 1.5 and earlier does not differentiate between user names and hierarchical group names when performing authorization. This allows an attacker with permissions to create groups in GitLab to gain the privileges granted to another user or group.
GitLab Authentication Plugin 1.6 performs user name and group name authorization checks using the appropriate GitLab APIs.
Пакеты
Наименование
org.jenkins-ci.plugins:gitlab-oauth
maven
Затронутые версииВерсия исправления
<= 1.5
1.6
Связанные уязвимости
CVSS3: 8.8
nvd
больше 5 лет назад
Jenkins Gitlab Authentication Plugin 1.5 and earlier does not perform group authorization checks properly, resulting in a privilege escalation vulnerability.