CVE-2025-24397: Jenkins GitLab Plugin Disclosure Flaw

CVE-2025-24397 Overview

An incorrect permission check vulnerability exists in Jenkins GitLab Plugin version 1.9.6 and earlier that allows attackers with global Item/Configure permission to enumerate credential IDs of GitLab API tokens and Secret text credentials stored in Jenkins, even when they lack Item/Configure permission on any particular job. This authorization bypass enables unauthorized information disclosure through improper access control mechanisms.

Critical Impact

Attackers can enumerate sensitive credential IDs stored in Jenkins, potentially facilitating further attacks against GitLab integrations and CI/CD pipelines.

Affected Products

• Jenkins GitLab Plugin version 1.9.6 and earlier

Discovery Timeline

• 2025-01-22 - CVE-2025-24397 published to NVD
• 2025-10-03 - Last updated in NVD database

Technical Details for CVE-2025-24397

Vulnerability Analysis

This vulnerability (CWE-863: Incorrect Authorization) stems from an improper permission validation mechanism in the Jenkins GitLab Plugin. The plugin fails to correctly verify that users have the appropriate job-level Item/Configure permissions before allowing access to credential enumeration functionality. Instead, the plugin only checks for the global Item/Configure permission, creating a security gap where users with broader organizational access can enumerate credentials they should not have visibility into.

The vulnerability is classified as a Broken Access Control issue, where the authorization logic is implemented incorrectly. An authenticated attacker with global Item/Configure permission can exploit this flaw to discover GitLab API token IDs and Secret text credential IDs stored within Jenkins, even without having Item/Configure permission on any specific job that uses those credentials.

Root Cause

The root cause is an incorrect permission check implementation in the Jenkins GitLab Plugin. The plugin's authorization logic only validates global-level permissions rather than performing the required job-level permission verification. This allows privilege separation to be bypassed, enabling credential enumeration across the Jenkins instance regardless of job-specific access controls.

Attack Vector

The attack can be conducted over the network by an authenticated user who possesses the global Item/Configure permission. The attacker does not require any specific job-level permissions and can enumerate credential IDs without user interaction. While the attack only exposes credential identifiers rather than the actual credential values, this information disclosure can be leveraged for reconnaissance or to craft more targeted attacks against the CI/CD infrastructure.

The exploitation flow involves:

1. Authenticating to Jenkins with an account that has global Item/Configure permission
2. Accessing the GitLab Plugin's credential enumeration functionality
3. Retrieving a list of GitLab API token and Secret text credential IDs without proper authorization checks

Detection Methods for CVE-2025-24397

Indicators of Compromise

• Unusual access patterns to Jenkins credential management endpoints
• Multiple failed or suspicious API calls attempting to list credentials
• Audit log entries showing credential enumeration from users without job-level permissions
• Unexpected access to GitLab integration configuration pages

Detection Strategies

• Monitor Jenkins audit logs for credential listing activities from users with only global permissions
• Implement alerting on bulk credential enumeration attempts
• Review access patterns to GitLab Plugin configuration endpoints
• Cross-reference user permissions against credential access events to identify unauthorized enumeration

Monitoring Recommendations

• Enable and monitor Jenkins security audit logging
• Configure alerts for credential-related API access patterns
• Implement regular reviews of user permissions versus access patterns
• Monitor for reconnaissance activities targeting CI/CD infrastructure

How to Mitigate CVE-2025-24397

Immediate Actions Required

• Update Jenkins GitLab Plugin to a version newer than 1.9.6 that addresses this vulnerability
• Review and restrict global Item/Configure permissions to only essential personnel
• Audit current credential access patterns to identify potential exploitation
• Rotate GitLab API tokens and Secret text credentials if unauthorized enumeration is suspected

Patch Information

Jenkins has released a security advisory addressing this vulnerability. Refer to the Jenkins Security Advisory #SECURITY-3260 for official patch information and updated plugin versions. Organizations should update the GitLab Plugin to the latest available version that includes the permission check fix.

Workarounds

• Restrict global Item/Configure permission to only trusted administrators
• Implement the principle of least privilege for Jenkins user accounts
• Use Jenkins folder-level permissions to limit credential visibility scope
• Consider temporarily disabling the GitLab Plugin if immediate patching is not possible

# Review Jenkins GitLab Plugin version
# Navigate to Jenkins > Manage Jenkins > Manage Plugins > Installed
# Verify GitLab Plugin version is higher than 1.9.6

# Restrict global permissions in Jenkins (config.xml)
# Review and remove unnecessary Item/Configure global permissions
# Location: $JENKINS_HOME/config.xml