CVE-2024-23901: 
Java vulnerability analysis and mitigation

GitLab Branch Source Plugin version 684.vea_fa_7c1e2fe3 and earlier contains a security vulnerability (CVE-2024-23901) that was disclosed on January 24, 2024. The vulnerability affects the plugin's project discovery mechanism, specifically in how it handles projects shared with configured owner groups. This medium severity vulnerability impacts Jenkins installations using the affected versions of the GitLab Branch Source Plugin (Jenkins Advisory, NVD).

The vulnerability stems from the plugin's behavior of unconditionally discovering projects that are shared with the configured owner group. The issue has been assigned a CVSS v3.1 base score of 6.5 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N (NVD).

When exploited, this vulnerability allows attackers to configure and share a project with the owner group, which results in Jenkins automatically building a crafted Pipeline during the next scan of the group's projects (Jenkins Advisory).

The vulnerability has been fixed in GitLab Branch Source Plugin version 688.v5fa_356ee8520. In this version, the default strategy for discovering projects does not discover projects shared with the configured owner group. If discovery of shared projects is required, administrators must explicitly enable this functionality using the new trait 'Discover shared projects'. After updating, any previously discovered shared projects will be removed unless the new trait is added to the organization folder configuration before running a scan (Jenkins Advisory).