Maven package
io.jenkins.plugins/gitlab-branch-source
pkg:maven/io.jenkins.plugins/gitlab-branch-source
Vulnerabilities (3)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-23903 | — | < 688.v5fa | 688.v5fa | Jan 24, 2024 | Jenkins GitLab Branch Source Plugin 684.vea_fa_7c1e2fe3 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token. | ||
| CVE-2024-23902 | — | < 688.v5fa | 688.v5fa | Jan 24, 2024 | A cross-site request forgery (CSRF) vulnerability in Jenkins GitLab Branch Source Plugin 684.vea_fa_7c1e2fe3 and earlier allows attackers to connect to an attacker-specified URL. | ||
| CVE-2024-23901 | — | < 688.v5fa | 688.v5fa | Jan 24, 2024 | Jenkins GitLab Branch Source Plugin 684.vea_fa_7c1e2fe3 and earlier unconditionally discovers projects that are shared with the configured owner group, allowing attackers to configure and share a project, resulting in a crafted Pipeline being built by Jenkins during the next scan |
- CVE-2024-23903Jan 24, 2024affected < 688.v5fafixed 688.v5fa
Jenkins GitLab Branch Source Plugin 684.vea_fa_7c1e2fe3 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token.
- CVE-2024-23902Jan 24, 2024affected < 688.v5fafixed 688.v5fa
A cross-site request forgery (CSRF) vulnerability in Jenkins GitLab Branch Source Plugin 684.vea_fa_7c1e2fe3 and earlier allows attackers to connect to an attacker-specified URL.
- CVE-2024-23901Jan 24, 2024affected < 688.v5fafixed 688.v5fa
Jenkins GitLab Branch Source Plugin 684.vea_fa_7c1e2fe3 and earlier unconditionally discovers projects that are shared with the configured owner group, allowing attackers to configure and share a project, resulting in a crafted Pipeline being built by Jenkins during the next scan