Gitlab Hook Plugin
Source repositories
CVEs (18)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-2096 | 0.10 | — | 0.93 | Jan 15, 2020 | Jenkins Gitlab Hook Plugin 1.4.2 and earlier does not escape project names in the build_now endpoint, resulting in a reflected XSS vulnerability. | |||
| CVE-2025-24397 | 0.00 | — | 0.01 | Jan 22, 2025 | An incorrect permission check in Jenkins GitLab Plugin 1.9.6 and earlier allows attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate credential IDs of GitLab API token and Secret text credentials stored in… | |||
| CVE-2022-46685 | 0.00 | — | 0.00 | Dec 7, 2022 | In Jenkins Gitea Plugin 1.4.4 and earlier, the implementation of Gitea personal access tokens did not support credentials masking, potentially exposing them through the build log. | |||
| CVE-2022-43411 | 0.00 | — | 0.00 | Oct 19, 2022 | Jenkins GitLab Plugin 1.5.35 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token. | |||
| CVE-2022-38663 | 0.00 | — | 0.02 | Aug 23, 2022 | Jenkins Git Plugin 4.11.4 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log provided by the Git Username and Password (`gitUsernamePassword`) credentials binding. | |||
| CVE-2022-36884 | 0.00 | — | 0.01 | Jul 27, 2022 | The webhook endpoint in Jenkins Git Plugin 4.11.3 and earlier provide unauthenticated attackers information about the existence of jobs configured to use an attacker-specified Git repository. | |||
| CVE-2022-36883 | 0.00 | — | 0.81 | Jul 27, 2022 | A missing permission check in Jenkins Git Plugin 4.11.3 and earlier allows unauthenticated attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit. | |||
| CVE-2022-36882 | 0.00 | — | 0.00 | Jul 27, 2022 | A cross-site request forgery (CSRF) vulnerability in Jenkins Git Plugin 4.11.3 and earlier allows attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit. | |||
| CVE-2022-34777 | 0.00 | — | 0.15 | Jun 30, 2022 | Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||
| CVE-2022-30955 | 0.00 | — | 0.00 | May 17, 2022 | Jenkins GitLab Plugin 1.5.31 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | |||
| CVE-2022-30947 | 0.00 | — | 0.00 | May 17, 2022 | Jenkins Git Plugin 4.11.1 and earlier allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller's file system using local paths as SCM URLs, obtaining limited information about other projects' SCM contents. | |||
| CVE-2021-21684 | 0.00 | — | 0.01 | Oct 6, 2021 | Jenkins Git Plugin 4.8.2 and earlier does not escape the Git SHA-1 checksum parameters provided to commit notifications when displaying them in a build cause, resulting in a stored cross-site scripting (XSS) vulnerability. | |||
| CVE-2020-2136 | 0.00 | — | 0.00 | Mar 9, 2020 | Jenkins Git Plugin 4.2.0 and earlier does not escape the error message for the repository URL for Microsoft TFS field form validation, resulting in a stored cross-site scripting vulnerability. | |||
| CVE-2019-10429 | 0.00 | — | 0.00 | Sep 25, 2019 | Jenkins GitLab Logo Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. | |||
| CVE-2019-10330 | 0.00 | — | 0.01 | May 31, 2019 | Jenkins Gitea Plugin 1.1.1 and earlier did not implement trusted revisions, allowing attackers without commit access to the Git repo to change Jenkinsfiles even if Jenkins is configured to consider them to be untrusted. | |||
| CVE-2019-10301 | 0.00 | — | 0.00 | Apr 18, 2019 | A missing permission check in Jenkins GitLab Plugin 1.5.11 and earlier in the GitLabConnectionConfig#doTestConnection form validation method allowed attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained… | |||
| CVE-2019-10300 | 0.00 | — | 0.00 | Apr 18, 2019 | A cross-site request forgery vulnerability in Jenkins GitLab Plugin 1.5.11 and earlier in the GitLabConnectionConfig#doTestConnection form validation method allowed attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through… | |||
| CVE-2018-1000196 | 0.00 | — | 0.00 | Jun 5, 2018 | A exposure of sensitive information vulnerability exists in Jenkins Gitlab Hook Plugin 1.4.2 and older in gitlab_notifier.rb, views/gitlab_notifier/global.erb that allows attackers with local Jenkins master file system access or control of a Jenkins administrator's web browser… |
- CVE-2020-2096Jan 15, 2020risk 0.10cvss —epss 0.93
Jenkins Gitlab Hook Plugin 1.4.2 and earlier does not escape project names in the build_now endpoint, resulting in a reflected XSS vulnerability.
- CVE-2025-24397Jan 22, 2025risk 0.00cvss —epss 0.01
An incorrect permission check in Jenkins GitLab Plugin 1.9.6 and earlier allows attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate credential IDs of GitLab API token and Secret text credentials stored in…
- CVE-2022-46685Dec 7, 2022risk 0.00cvss —epss 0.00
In Jenkins Gitea Plugin 1.4.4 and earlier, the implementation of Gitea personal access tokens did not support credentials masking, potentially exposing them through the build log.
- CVE-2022-43411Oct 19, 2022risk 0.00cvss —epss 0.00
Jenkins GitLab Plugin 1.5.35 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token.
- CVE-2022-38663Aug 23, 2022risk 0.00cvss —epss 0.02
Jenkins Git Plugin 4.11.4 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log provided by the Git Username and Password (`gitUsernamePassword`) credentials binding.
- CVE-2022-36884Jul 27, 2022risk 0.00cvss —epss 0.01
The webhook endpoint in Jenkins Git Plugin 4.11.3 and earlier provide unauthenticated attackers information about the existence of jobs configured to use an attacker-specified Git repository.
- CVE-2022-36883Jul 27, 2022risk 0.00cvss —epss 0.81
A missing permission check in Jenkins Git Plugin 4.11.3 and earlier allows unauthenticated attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit.
- CVE-2022-36882Jul 27, 2022risk 0.00cvss —epss 0.00
A cross-site request forgery (CSRF) vulnerability in Jenkins Git Plugin 4.11.3 and earlier allows attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit.
- CVE-2022-34777Jun 30, 2022risk 0.00cvss —epss 0.15
Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
- CVE-2022-30955May 17, 2022risk 0.00cvss —epss 0.00
Jenkins GitLab Plugin 1.5.31 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
- CVE-2022-30947May 17, 2022risk 0.00cvss —epss 0.00
Jenkins Git Plugin 4.11.1 and earlier allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller's file system using local paths as SCM URLs, obtaining limited information about other projects' SCM contents.
- CVE-2021-21684Oct 6, 2021risk 0.00cvss —epss 0.01
Jenkins Git Plugin 4.8.2 and earlier does not escape the Git SHA-1 checksum parameters provided to commit notifications when displaying them in a build cause, resulting in a stored cross-site scripting (XSS) vulnerability.
- CVE-2020-2136Mar 9, 2020risk 0.00cvss —epss 0.00
Jenkins Git Plugin 4.2.0 and earlier does not escape the error message for the repository URL for Microsoft TFS field form validation, resulting in a stored cross-site scripting vulnerability.
- CVE-2019-10429Sep 25, 2019risk 0.00cvss —epss 0.00
Jenkins GitLab Logo Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
- CVE-2019-10330May 31, 2019risk 0.00cvss —epss 0.01
Jenkins Gitea Plugin 1.1.1 and earlier did not implement trusted revisions, allowing attackers without commit access to the Git repo to change Jenkinsfiles even if Jenkins is configured to consider them to be untrusted.
- CVE-2019-10301Apr 18, 2019risk 0.00cvss —epss 0.00
A missing permission check in Jenkins GitLab Plugin 1.5.11 and earlier in the GitLabConnectionConfig#doTestConnection form validation method allowed attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained…
- CVE-2019-10300Apr 18, 2019risk 0.00cvss —epss 0.00
A cross-site request forgery vulnerability in Jenkins GitLab Plugin 1.5.11 and earlier in the GitLabConnectionConfig#doTestConnection form validation method allowed attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through…
- CVE-2018-1000196Jun 5, 2018risk 0.00cvss —epss 0.00
A exposure of sensitive information vulnerability exists in Jenkins Gitlab Hook Plugin 1.4.2 and older in gitlab_notifier.rb, views/gitlab_notifier/global.erb that allows attackers with local Jenkins master file system access or control of a Jenkins administrator's web browser…