Missing permission checks in the Jenkins Gitee Plugin version 1288.v18b_deb_c9069b_ and earlier allow an attacker who has Overall/Read access to connect to a URL of the attacker’s choice using a supplied credential ID. The flaw removes the requirement to verify that the user is authorized to initiate such a connection, permitting the Jenkins server to act as a client to arbitrary external services without sufficient controls. This can lead to unintended data flows or external interactions, potentially exposing the environment to malicious services or leaking sensitive data through credential‑based connections. The vulnerability is caused by an access control weakness in the plugin’s handling of external URL requests, leaving the system open to exploitation by any user with read permissions.

The Jenkins Gitee Plugin, version 1288.v18b_deb_c9069b_ and earlier, is affected. Any Jenkins instance that has this plugin installed and users are granted Overall/Read permissions is at risk. The product is distributed by the Jenkins Project and typically deployed within Jenkins environments as an optional plugin.

The CVSS score of 5.4 indicates a moderate level of risk. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting no widespread exploitation has been documented. An attacker who has Overall/Read permissions can leverage the plugin to connect the Jenkins server to any attacker‑specified URL using a credential ID that the attacker has obtained via other means. The exploit requires only the ability to invoke the plugin’s interface or API and does not need elevated network or process privileges, but it demonstrates a missing access‑control weakness that could let the Jenkins instance communicate with malicious external services and potentially exfiltrate data through credential‑based connections.