Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1xcTM4LW14cHEtcnJwas4AAlYT
Improper authorization of users and groups with the same base name in Jenkins GitLab Authentication Plugin
GitLab Authentication Plugin 1.5 and earlier does not differentiate between user names and hierarchical group names when performing authorization. This allows an attacker with permissions to create groups in GitLab to gain the privileges granted to another user or group.
GitLab Authentication Plugin 1.6 performs user name and group name authorization checks using the appropriate GitLab APIs.
Permalink: https://github.com/advisories/GHSA-qq38-mxpq-rrpjJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xcTM4LW14cHEtcnJwas4AAlYT
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: over 1 year ago
CVSS Score: 8.1
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-qq38-mxpq-rrpj, CVE-2020-2228
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-2228
- https://jenkins.io/security/advisory/2020-07-15/#SECURITY-1792
- http://www.openwall.com/lists/oss-security/2020/07/15/5
- https://github.com/advisories/GHSA-qq38-mxpq-rrpj
Affected Packages
maven:org.jenkins-ci.plugins:gitlab-oauth
Affected Version Ranges: <= 1.5Fixed in: 1.6