Jenkins GitLab Authentication Plugin 1.13 and earlier stores the GitLab client secret unencrypted in the global `config.xml` file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

This client secret can be viewed by users with access to the Jenkins controller file system.

Affected Packages

Maven org.jenkins-ci.plugins:gitlab-oauth

Affected versions: 0 (fixed in 1.14)

Related CVEs

CVE-2022-27206

Key Information

GHSA ID

GHSA-hx3r-qwxv-5jw9

Published

March 16, 2022 12:00 AM

Last Modified

November 30, 2022 8:15 PM

CVSS Score

2.5 /10

Primary Ecosystem

Maven

Primary Package

org.jenkins-ci.plugins:gitlab-oauth

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 24, 2025 6:28 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.