CVE-2025-24397: 
Java vulnerability analysis and mitigation

An incorrect permission check vulnerability was discovered in Jenkins GitLab Plugin versions 1.9.6 and earlier, identified as CVE-2025-24397. The vulnerability was disclosed on January 22, 2025, affecting the Jenkins GitLab Plugin's permission verification system. This security issue allows attackers with global Item/Configure permission to enumerate credential IDs of GitLab API token and Secret text credentials stored in Jenkins, even when they lack Item/Configure permission on specific jobs (Jenkins Advisory).

The vulnerability stems from an incorrectly implemented permission check in an HTTP endpoint within the GitLab Plugin. The issue has been assigned a Medium severity CVSS rating. The vulnerability is tracked as SECURITY-3260 in Jenkins' security advisory system and has been classified under CWE-863 (Incorrect Authorization) (CISA-ADP, Jenkins Advisory).

The vulnerability allows attackers to enumerate credential IDs of GitLab API token credentials and Secret text credentials stored in Jenkins. These enumerated credentials could potentially be used as part of a broader attack to capture the actual credentials if combined with another vulnerability (Jenkins Advisory).

The vulnerability has been fixed in GitLab Plugin version 1.9.7, which requires Overall/Administer permission for credential ID enumeration. Users are advised to upgrade to this version to mitigate the vulnerability. The fix implements proper permission checks for accessing credential information (Jenkins Advisory).

The vulnerability was discovered and reported by Kevin Guerroudj and Yaroslav Afenkin from CloudBees, Inc., demonstrating active security research within the Jenkins community (Jenkins Advisory).