CVE-2020-2228

HIGH8.1EPSS 0.14%

Improper authorization of users and groups with the same base name in Jenkins GitLab Authentication Plugin

發布日:2022/5/24修改日:2023/11/8

描述

GitLab Authentication Plugin 1.5 and earlier does not differentiate between user names and hierarchical group names when performing authorization. This allows an attacker with permissions to create groups in GitLab to gain the privileges granted to another user or group. GitLab Authentication Plugin 1.6 performs user name and group name authorization checks using the appropriate GitLab APIs.

受影響套件(1)

Maven/org.jenkins-ci.plugins:gitlab-oauthfrom 0, < 1.6

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH8.1	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

參考連結(4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-2228
PATCHhttps://github.com/jenkinsci/gitlab-oauth-plugin
WEBhttps://jenkins.io/security/advisory/2020-07-15/#SECURITY-1792
WEBhttp://www.openwall.com/lists/oss-security/2020/07/15/5