CVE-2018-1000196
Description
A exposure of sensitive information vulnerability exists in Jenkins Gitlab Hook Plugin 1.4.2 and older in gitlab_notifier.rb, views/gitlab_notifier/global.erb that allows attackers with local Jenkins master file system access or control of a Jenkins administrator's web browser (e.g. malicious extension) to retrieve the configured Gitlab token.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Gitlab Hook Plugin 1.4.2 and older exposes the configured Gitlab token to attackers with local file system access or browser control.
Vulnerability
The Jenkins Gitlab Hook Plugin stores the configured Gitlab token in a way that is accessible via the files gitlab_notifier.rb and the view views/gitlab_notifier/global.erb. In versions 1.4.2 and older, these files expose the token to attackers who can read the Jenkins master file system or view the global configuration page, as noted in the security advisory [1][2].
Exploitation
An attacker needs either local access to the Jenkins master file system (e.g., ability to read files) or control of a Jenkins administrator's web browser (e.g., through a malicious browser extension). With local file system access, the attacker can read the configuration file directly. With browser control, the attacker can navigate to the global configuration page (e.g., views/gitlab_notifier/global.erb) to retrieve the token.
Impact
Successful exploitation results in disclosure of the configured Gitlab token. This token could allow the attacker to authenticate to Gitlab as the plugin user, potentially leading to unauthorized access to Gitlab repositories and actions limited by the token's permissions.
Mitigation
Upgrade to a fixed version of the plugin (e.g., 1.4.3 or later) if available. As a workaround, restrict file system access to the Jenkins master and ensure administrators use secure browsers without malicious extensions. The vulnerability was addressed in the Jenkins security advisory released on 2018-05-09 [1].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.ruby-plugins:gitlab-hookMaven | <= 1.4.2 | — |
Affected products
2- Range: <=1.4.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-7p4p-v6hr-gp3mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-1000196ghsaADVISORY
- jenkins.io/security/advisory/2018-05-09/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.