CVE-2022-27206
First published: Tue Mar 15 2022(Updated: )
Jenkins GitLab Authentication Plugin 1.13 and earlier stores the GitLab client secret unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.
Credit: jenkinsci-cert@googlegroups.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Jenkins GitLab Authentication Plugin | <=1.13 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2022-27206?
CVE-2022-27206 has a moderate severity rating due to the exposure of sensitive data.
How do I fix CVE-2022-27206?
To fix CVE-2022-27206, upgrade the Jenkins GitLab Authentication Plugin to version 1.14 or later.
What types of data are exposed in CVE-2022-27206?
CVE-2022-27206 exposes the GitLab client secret in an unencrypted format within the global config.xml file.
Who is affected by CVE-2022-27206?
Any Jenkins instance using GitLab Authentication Plugin versions 1.13 and earlier is affected by CVE-2022-27206.
What actions should users take regarding CVE-2022-27206?
Users should immediately update their Jenkins GitLab Authentication Plugin and review access controls to the Jenkins controller file system.
- agent/author
- agent/references
- agent/type
- agent/weakness
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-api
- agent/software-canonical-lookup-request
- collector/nvd-index
- vendor/jenkins
- canonical/jenkins gitlab authentication plugin
- version/jenkins gitlab authentication plugin/1.13