CVE-2022-30955
Description
Jenkins GitLab Plugin 1.5.31 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins GitLab Plugin 1.5.31 and earlier lacks a permission check in an HTTP endpoint, allowing attackers with Overall/Read to enumerate credentials IDs.
Vulnerability
Jenkins GitLab Plugin versions 1.5.31 and earlier contain a missing permission check in the doFillJobCredentialIdItems HTTP endpoint. This endpoint is used to populate credential ID dropdowns in job configuration; it does not verify that the requesting user has the required item-level permissions (e.g., EXTENDED_READ or USE_ITEM). As a result, any user with the global Overall/Read permission can access this endpoint [2][3][4].
Exploitation
An attacker with Overall/Read permission on the Jenkins instance can send a crafted request to the vulnerable endpoint, which returns a list of credential IDs stored in Jenkins. The attacker does not need any additional privileges on individual items. The fix commit [4] shows that the plugin now checks for Jenkins.ADMINISTER when the item is null, and for Item.EXTENDED_READ or CredentialsProvider.USE_ITEM otherwise, before returning credential IDs.
Impact
Successful exploitation allows an attacker to enumerate credential IDs, revealing the existence and identifiers of credentials stored in Jenkins. While this does not expose the credential secrets themselves, it provides an attacker with information that can be used to target specific credentials in subsequent attacks. The vulnerability has a low confidentiality impact, with no direct effect on integrity or availability [2].
Mitigation
The issue is fixed in GitLab Plugin version 1.5.32, released on 2022-05-17 [2]. Users should upgrade to this version or later. No workarounds are available for older versions, and the plugin is not listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:gitlab-pluginMaven | < 1.5.32 | 1.5.32 |
Affected products
3- Range: <=1.5.31
- Range: unspecified
Patches
11 file changed · +10 −0
src/main/java/com/dabsquared/gitlabjenkins/connection/GitLabConnectionProperty.java+10 −0 modified@@ -1,6 +1,7 @@ package com.dabsquared.gitlabjenkins.connection; +import com.cloudbees.plugins.credentials.CredentialsProvider; import com.cloudbees.plugins.credentials.common.StandardCredentials; import com.cloudbees.plugins.credentials.common.StandardListBoxModel; import com.cloudbees.plugins.credentials.domains.URIRequirementBuilder; @@ -125,6 +126,15 @@ public ListBoxModel doFillGitLabConnectionItems() { public ListBoxModel doFillJobCredentialIdItems(@AncestorInPath Item item, @QueryParameter String url, @QueryParameter String jobCredentialId) { StandardListBoxModel result = new StandardListBoxModel(); + if (item == null) { + if (!Jenkins.get().hasPermission(Jenkins.ADMINISTER)) { + return result.includeCurrentValue(jobCredentialId); + } + } else { + if (!item.hasPermission(Item.EXTENDED_READ) && !item.hasPermission(CredentialsProvider.USE_ITEM)) { + return result.includeCurrentValue(jobCredentialId); + } + } return result.includeEmptyValue() .includeMatchingAs(ACL.SYSTEM, item, StandardCredentials.class, URIRequirementBuilder.fromUri(url).build(), new GitLabCredentialMatcher())
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-5phj-qv74-pv4wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-30955ghsaADVISORY
- github.com/jenkinsci/gitlab-plugin/commit/37e48ca920a4779109b885f4de62111e0baf846aghsaWEB
- www.jenkins.io/security/advisory/2022-05-17/ghsax_refsource_CONFIRMWEB
News mentions
1- Jenkins Security Advisory 2022-05-17Jenkins Security Advisories · May 17, 2022